Solved: Re: asa 5580 identity nat

Bruce Summers · ‎03-06-2011

alright folks, i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix...

I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.

the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x

i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command...

any clarification anybody could provide would be great...

thanks

Federico Coto Fajardo · ‎03-06-2011

Bruce,

Please take a look here:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

In version 8.3 static identity NAT is treated as any other static command.

Example:

Old Command:

static (inside,outside) 10.1.1.6 10.1.1.6 netmask 255.255.255.255

Migrated Configuration:

object network obj-10.1.1.6

host 10.1.1.6

nat (inside,outside) static 10.1.1.6

Hope it helps.

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-06-2011

I think the problem is that you can't have two object-groups with the same name.

You cannot have this:

object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) static DB_Subnet

object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,inside2) static DB_Subnet

Because it will overwrite the first one.

You will need this:

object network "DB_Subnet"

Subnet 10.10.10.0 255.255.255.0

Nat (inside,outside) static DB_Subnet

object network "DB_Subnet1"

Subnet 10.10.10.0 255.255.255.0

Nat (inside,inside2) static DB_Subnet1

Note the name of the second object-group is different but refers to the same object (subnet 10.10.10.0/24)

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-06-2011

Bruce,

Glad that it works now :-)

Please consider marking the threat as answered if you found it helpful.

Cheers!

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-06-2011

Bruce,

Please take a look here:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

In version 8.3 static identity NAT is treated as any other static command.

Example:

Old Command:

static (inside,outside) 10.1.1.6 10.1.1.6 netmask 255.255.255.255

Migrated Configuration:

object network obj-10.1.1.6

host 10.1.1.6

nat (inside,outside) static 10.1.1.6

Hope it helps.

Federico.

Bruce Summers · ‎03-06-2011

Thanks Federico

I did come across this doc and am working with the config you refer to...

So, what I have is as follows:

Outside interface 10.1.1.1 /24

Inside1 interface 10.10.10.0 /24

Inside2 interface 10.2.2.2 /24

So, what I did was the following:

object network "DB_Subnet"

Subnet 10.10.10.0 255.255.255.0

Nat (inside,outside) static DB_Subnet

This, I think advertises the 10.10.10.0 to the outside interface on my asa so as traffic enters the asa on the outside interface, it knows that inside1 answers for 10.10.10.0/24

However, I tried to configure an additional identy nat to advertise the 10.10.10.0 to the Inside2 subnet, and it removed the original configuration for the outside advertisement identity nat..

Old config would allow me to

Static (inside1,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Static (inside1,inside2) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

The intent being, traffic coming out of subnet behind inside2 would know that inside1 answers for 10.10.10.0 /24

Am I missing something?

Federico Coto Fajardo · ‎03-06-2011

I think the problem is that you can't have two object-groups with the same name.

You cannot have this:

object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) static DB_Subnet

object network "DB_Subnet"
Subnet 10.10.10.0 255.255.255.0
Nat (inside,inside2) static DB_Subnet

Because it will overwrite the first one.

You will need this:

object network "DB_Subnet"

Subnet 10.10.10.0 255.255.255.0

Nat (inside,outside) static DB_Subnet

object network "DB_Subnet1"

Subnet 10.10.10.0 255.255.255.0

Nat (inside,inside2) static DB_Subnet1

Note the name of the second object-group is different but refers to the same object (subnet 10.10.10.0/24)

Federico.

Bruce Summers · ‎03-06-2011

Lol...our emails are crossing...Yes, exactly....thank you for your responses...I appreciate your input on these...

bruce

Bruce Summers · ‎03-06-2011

Follow up.

So, I found if I create a second object, then apply that object to my nat statement, I can "nat" multiple times...

Example: object db-2-outside

Subnet 10.10.10.0 /24

Nat (inside1,outside) static db-2-outside

Object db-2-app

Subnet 10.10.10.0 /24

Nat (inside1,inside2) static db-2-app

Federico Coto Fajardo · ‎03-06-2011

Bruce,

Glad that it works now :-)

Please consider marking the threat as answered if you found it helpful.

Cheers!

Federico.

Bruce Summers · ‎03-06-2011

i clicked the "correct answer" button on your posts...i'm assuming that awards "points" for your responses, right?

Federico Coto Fajardo · ‎03-06-2011

That is correct!

Thank you very much Bruce.. that helps a lot for future reference.

Federico.