Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
5
Replies

Adding Dynamic Policy NAT to ASA

mahesh18
Level 6
Level 6

‎02-11-2017 06:26 PM - edited ‎03-12-2019 01:55 AM

Hi Everyone,

ASA  8.2 is configured with this

Current config 

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 192.x.x.x netmask 255.255.255.255

global (DMZ64) 1 192.x.x.x netmask 255.255.255.255

I need to configure specific 3 subnets for  users behind the inside interface and going out to internet via outside interface  so that when they access one particular vendor  website they get Dynamic PAT to one Public PAT  IP

Here is my config for users on subnet 10.10.20.0,10.10.30.0 and 10.10.40.0

New config for users behind the 10.10.20,30 and 40 subnet

access-list Traffic_PAT permit ip  10.10.20.0  255.255.255.0  host 205.x.x.x

access-list Traffic_PAT permit ip  10.10.30.0  255.255.255.0  host 205.x.x.x

access-list Traffic_PAT permit ip  10.10.40.0  255.255.255.0  host 205.x.x.x

nat (inside) 2 access-list Traffic_PAT

 

global (outside) 2 206.x.x.x  netmask 255.255.255.255

If i go this way then all the traffic will hit the nat order 1 and not hit the nat 2.

To make this work I will delete the current nat 1 and global 1 config and make the new subnets as nat 1 and global 1

and make the current nat 1 and global 1 to nat 2 and global 2 right?

Regards

Mahesh

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-11-2017 06:47 PM

Why don't you change all the references to NAT group "1" to say "10"?

0 Helpful

mahesh18
Level 6
Level 6
In response to Philip D'Ath

‎02-11-2017 07:00 PM

Hi Philip,

So you mean to say for below config 

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 192.x.x.x netmask 255.255.255.255

global (DMZ64) 1 192.x.x.x netmask 255.255.255.255

I should go to ASA and type 

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 10 192.x.x.x netmask 255.255.255.255

global (DMZ64) 10 192.x.x.x netmask 255.255.255.255  ?

and make new one as nat group 1?

Regards

Mahesh

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-11-2017 09:01 PM

First remove the old cofig then add the new config above.

0 Helpful

mahesh18
Level 6
Level 6
In response to Philip D'Ath

‎02-11-2017 09:17 PM

So i can remove all the old config with nat and global group 1

After that I add new config with nat and global group of 1

Then I add the old config which had nat and global group of 1 as group 2 now right?

0 Helpful

Zeeshan Aziz
Level 1
Level 1
In response to mahesh18

‎02-13-2017 03:13 AM

Hi

If you don't want to remove your configs, just follow this.

object-group network LAN-USERS
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
network-object 10.10.40.0 255.255.255.0

access-list Traffic_PAT permit ip object-group LAN-USERS host 205.x.x.x


Objective - 1
To NAT all other traffic

global (outside) 1 192.x.x.x netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0

Objective - 2
To NAT three subnets

global (outside) 2 206.x.x.x netmask 255.255.255.255 (Define available public IP which will be used by the LAN subnets when users will access 2)
nat (inside) 2 access-list Traffic_PAT

Try this, if still not working, then share output for the command.

 packet-tracer input inside icmp 10.10.20.20 8 0 205.x.x.x

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card