Re: Adding new subnet to ASA5512 issues

KCMM14457 · ‎03-03-2020

Hello,

Im trying to get a new subnet setup on my ASA5512. I've created the object group and put in the subnet. But when sitting up the NAT rule- nat (inside,outside) dynamic NAT+PAT - its not showing up on the new objects I created.

Is there something missing? Any help would be great.

Thank you,

Rob Ingram · ‎03-03-2020

Hi,

What exactly did you configure?

Below is an example of what I assume you require, this will NAT the local network behind the outside interface.

object network NET1
 subnet 192.168.10.0 255.255.255.0
 nat (inside,outside) dynamic interface

Which should appear as below:-

ASA-DC-1/pri/act(config-network-object)# show nat detail
Manual NAT Policies (Section 1)

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic NET1 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.10.0/24, Translated: 1.1.1.1/24

HTH

KCMM14457 · ‎03-03-2020

Yes I have something like that already:
object network NET1
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic NAT+PAT

when I try to add:
object network NET5
subnet 10.10.130.0 255.255.254.0
nat (inside,outside) dynamic NAT+PAT

the nat rule doesnt work. It just not there for the Obj NET5

Rob Ingram · ‎03-03-2020

Ok, so what is the configuration of NAT+PAT?
I assume you meant it doesn't show up under "show nat detail"?

KCMM14457 · ‎03-03-2020

Here is what we have for the NAT+PAT right now:
object network NAT_POOL
range 66.76.8.100 66.76.8.124
object network PAT
host 66.76.8.125
object-group network NAT+PAT
network-object object NAT_POOL
network-object object PAT

Correct when I enter cmd:
nat (inside,outside) dynamic NAT+PAT
It doesnt show up in the "show nat detail"

Rob Ingram · ‎03-03-2020

Ok, I copied and pasted your configuration, that worked in my lab using ASA 9.12(3).

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic NET1 NAT+PAT
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.10.0/24, Translated: 66.76.8.100/30, 66.76.8.104/29, 66.76.8.112/29, 66.76.8.120/30
66.76.8.124/32, 66.76.8.125/32

What ASA code are you using? Potentially a bug

HTH

KCMM14457 · ‎03-03-2020

Yea im not sure its something im doing wrong on my config or is there a limit to how many subnets I can add to a obj group for nat.

Where would i find ASA code?

Rob Ingram · ‎03-03-2020

"show version"

KCMM14457 · ‎03-03-2020

Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)

Compiled on Fri 01-Jun-12 02:16 by builders
System image file is "disk0:/asa861-2-smp-k8.bin"
Config file at boot was "startup-config"

Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
ASA: 2048 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-0014
IPSec microcode : CNPx-MC-IPSEC-MAIN-0014
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is 4c00.821d.e2aa, irq 11
1: Ext: GigabitEthernet0/0 : address is 4c00.821d.e2ae, irq 10
2: Ext: GigabitEthernet0/1 : address is 4c00.821d.e2ab, irq 10
3: Ext: GigabitEthernet0/2 : address is 4c00.821d.e2af, irq 5
4: Ext: GigabitEthernet0/3 : address is 4c00.821d.e2ac, irq 5
5: Ext: GigabitEthernet0/4 : address is 4c00.821d.e2b0, irq 10
6: Ext: GigabitEthernet0/5 : address is 4c00.821d.e2ad, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is 4c00.821d.e2aa, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual

This platform has a Base license.

Rob Ingram · ‎03-03-2020

Well you are running a really old version - v8.6(1)2.

Are you already using this nat+pat configuration? If not it may not support it on such an old version, I'd consider upgrading regardless. Your ASA 5512 hardware will support up to the latest version.

KCMM14457 · ‎03-03-2020

Yes i am on at least 7 other subnets. The new ones im adding just wont accept the nat rule.

Im working on upgrading to a new ASA.

Rob Ingram · ‎03-03-2020

Ok, if you are configuring exactly the same as your existing objects, then it should work on that version.
You should consider logging a call with TAC...but they will probably recommend you upgrade to a supported version though. So I suggest you do that.

In the meantime, consider modifying your nat rule to nat behind a single IP address.

KCMM14457 · ‎03-03-2020

okay so I deleted one of the nat rules on a obj its working on and adding to the one its not and it took it. So it looks like there is a limit to how many I can add