Solved: Re: ASA 8.3 server nat to different interfaces

jmprats · ‎04-11-2011

Do i need to create 2 objects for nating a server to 2 different interfaces?

That is an inside server published in two different dmzs

Automatic migration to 8.3 creates 2 objects (one for each nat)

Can I do the same with only one object? like this or I need an object for each nat?

object network server

host 192.168.128.10

nat (inside,dmz) static 172.24.1.10

nat (inside,dmzguests) static 10.10.0.10

thanks

Jennifer Halim · ‎04-11-2011

No, unfortunately you can't configure 2 nat statements within 1 network object. You would need to create 2 separate network objects for 2 different interfaces.

View solution in original post

Jennifer Halim · ‎04-11-2011

No, unfortunately you can't configure 2 nat statements within 1 network object. You would need to create 2 separate network objects for 2 different interfaces.

jmprats · ‎04-11-2011

OK, but it would be very useful this feature.

It's the same server that you publish in different interfaces, i can't see why not allow it.

If not, you have to create too many objects, one for each nat. And for each object you need the host line and the object with the nat line.

So you don't simplify nothing. With the old static command in one line you resolve the problem!

Jennifer Halim · ‎04-11-2011

Definitely agree with you.

The previous version of NAT is definitely a lot tidier and simpler than the new version of NAT. However, the new version of NAT is a lot more flexible than the old one.

I would recommend that you suggest this feature to your Cisco account manager to they can take it up to the development team.

jmprats · ‎04-11-2011

Ok, a new question please. I can't understand why this configuration:

Static PAT; only one ACE in the access rule matches the PAT
Old Configuration
static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 80
access-list 1 extended permit tcp any host 172.23.57.170 eq 5080
access-list 1 extended permit udp any host 172.23.57.170 eq 5080
access-list 1 extended permit tcp any host 172.23.57.170 eq 10000
access-list 1 extended permit tcp any host 10.2.3.4 eq 5080
access-group 1 in interface outside

Migrated Configuration
access-list 1 extended permit tcp any host 10.50.50.50 eq 80
access-list 1 extended permit udp any host 172.23.57.170 eq 5080
access-list 1 extended permit tcp any host 172.23.57.170 eq 10000
access-list 1 extended permit tcp any host 10.2.3.4 eq 5080
access-group 1 in interface outside

It's not logical not using the real ip address in the second and third static PAT

Jennifer Halim · ‎04-11-2011

Yes, with the new NAT, comes the new ACL as well.

Version 8.2 and earlier, ACL applied on outside interface, you will match it against the NATed address, while, Version 8.3 and above, you now match it against the real ip address. You can also match it against the NAT object now on the access-list.