03-06-2011 08:15 AM - edited 03-11-2019 01:01 PM
alright folks, i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix...
I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x
i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command...
any clarification anybody could provide would be great...
thanks
Solved! Go to Solution.
03-06-2011 08:37 AM
Bruce,
Please take a look here:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
In version 8.3 static identity NAT is treated as any other static command.
Example:
Old Command:
static (inside,outside) 10.1.1.6 10.1.1.6 netmask 255.255.255.255
Migrated Configuration:
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 10.1.1.6
Hope it helps.
Federico.
03-06-2011 09:07 AM
I think the problem is that you can't have two object-groups with the same name.
You cannot have this:
object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) static DB_Subnet
object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,inside2) static DB_Subnet
Because it will overwrite the first one.
You will need this:
object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) static DB_Subnet
object network "DB_Subnet1"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,inside2) static DB_Subnet1
Note the name of the second object-group is different but refers to the same object (subnet 10.10.10.0/24)
Federico.
03-06-2011 09:18 AM
Bruce,
Glad that it works now :-)
Please consider marking the threat as answered if you found it helpful.
Cheers!
Federico.
03-06-2011 08:37 AM
Bruce,
Please take a look here:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
In version 8.3 static identity NAT is treated as any other static command.
Example:
Old Command:
static (inside,outside) 10.1.1.6 10.1.1.6 netmask 255.255.255.255
Migrated Configuration:
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 10.1.1.6
Hope it helps.
Federico.
03-06-2011 08:54 AM
Thanks Federico
I did come across this doc and am working with the config you refer to...
So, what I have is as follows:
Outside interface 10.1.1.1 /24
Inside1 interface 10.10.10.0 /24
Inside2 interface 10.2.2.2 /24
So, what I did was the following:
object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) static DB_Subnet
This, I think advertises the 10.10.10.0 to the outside interface on my asa so as traffic enters the asa on the outside interface, it knows that inside1 answers for 10.10.10.0/24
However, I tried to configure an additional identy nat to advertise the 10.10.10.0 to the Inside2 subnet, and it removed the original configuration for the outside advertisement identity nat..
Old config would allow me to
Static (inside1,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Static (inside1,inside2) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
The intent being, traffic coming out of subnet behind inside2 would know that inside1 answers for 10.10.10.0 /24
Am I missing something?
03-06-2011 09:07 AM
I think the problem is that you can't have two object-groups with the same name.
You cannot have this:
object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) static DB_Subnet
object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,inside2) static DB_Subnet
Because it will overwrite the first one.
You will need this:
object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) static DB_Subnet
object network "DB_Subnet1"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,inside2) static DB_Subnet1
Note the name of the second object-group is different but refers to the same object (subnet 10.10.10.0/24)
Federico.
03-06-2011 09:11 AM
Lol...our emails are crossing...Yes, exactly....thank you for your responses...I appreciate your input on these...
bruce
03-06-2011 09:10 AM
Follow up.
So, I found if I create a second object, then apply that object to my nat statement, I can "nat" multiple times...
Example: object db-2-outside
Subnet 10.10.10.0 /24
Nat (inside1,outside) static db-2-outside
Object db-2-app
Subnet 10.10.10.0 /24
Nat (inside1,inside2) static db-2-app
03-06-2011 09:18 AM
Bruce,
Glad that it works now :-)
Please consider marking the threat as answered if you found it helpful.
Cheers!
Federico.
03-06-2011 09:37 AM
i clicked the "correct answer" button on your posts...i'm assuming that awards "points" for your responses, right?
03-06-2011 09:40 AM
That is correct!
Thank you very much Bruce.. that helps a lot for future reference.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide