Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
3
Replies

ASA 5515 static nat w/port translation+dynamic PAT

Dmitry Kolpakov
Level 1
Level 1

‎03-14-2016 11:13 PM - edited ‎03-12-2019 12:29 AM

Hi, sorry for newbie question, just started to learn ASA.

Is it possible on ASA (9.0) to make a static nat with port translation for one internal server (publish dns, smtp) and dynamic PAT for other internal users, using only one public address? Can it be configured using network object NAT, or I shall start using twice NAT? Thanks.

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-14-2016 11:24 PM

Hi Dmitry,

Yes it is possible.

For static PAT :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1106703

The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside with DNS rewrite enabled.
ciscoasa(config)# object network my-host-obj1
ciscoasa(config-network-object)# host 10.1.1.1
ciscoasa(config-network-object)# nat (inside,outside) static 10.2.2.2 dns

The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside using a mapped object.
ciscoasa(config)# object network my-mapped-obj
ciscoasa(config-network-object)# host 10.2.2.2

ciscoasa(config-network-object)# object network my-host-obj1
ciscoasa(config-network-object)# host 10.1.1.1
ciscoasa(config-network-object)# nat (inside,outside) static my-mapped-obj

The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the outside interface at port 2121.
ciscoasa(config)# object network my-ftp-server
ciscoasa(config-network-object)# host 10.1.1.1
ciscoasa(config-network-object)# nat (inside,outside) static interface service tcp 21 2121

For dynamic PAT you can use this statement:

ciscoasa(config)# object network my-inside-net
ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic 10.2.2.2

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Dmitry Kolpakov
Level 1
Level 1
In response to Aditya Ganjoo

‎03-15-2016 06:23 AM

Thanks, Aditya

May I ask one more question? I want to nat only several hosts in network. Documentation said that I can use network object or network object group. So I'v tried:

object-group network MY_HOSTS

network-object host 192.168.1.1

network-object host 192.168.1.2

But "nat (inside,outside) dynamic" command not available in object-group configuration mode. What is the best way to do this? Create object network and do nat for every desired host? Thanks.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Dmitry Kolpakov

‎03-15-2016 11:54 AM

Hi Dmitry,

You can create a manual NAT statement for this:

nat (inside,outside) source dynamic MY_HOSTS interface.

Regards,

Aditya

Please rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card