08-17-2013 01:49 PM - edited 03-11-2019 07:27 PM
Hi,
I'm trying to implement NAT on ASA and I found very strange behavior.
a) I started with dynamic NAT:
object network MY-RANGE-OBJ
range 172.16.1.100 172.16.1.120
object network MY-INSIDE-NET
subnet 10.0.0.0 255.255.255.0
ASA1(config)# object network MY-INSIDE-NET
ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ
ASA1(config-network-object)# sh ru | i nat
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ interfa
ASA1(config-network-object)# sh ru | i nat
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
ASA1(config-network-object)# nat (inside,outside) static interface
WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.
ASA1(config-network-object)# sh ru | i nat
nat (inside,outside) static interface
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
ASA1(config-network-object)#
Why I can't add 'dynamic MY-RANGE-OBJ' or 'dynamic MY-RANGE-OBJ inter' ? I can't see any errors, the commands are ignored
Thank you
Hubert
Solved! Go to Solution.
08-17-2013 01:54 PM
Hi,
Can you rather post the output of
show run nat
Even though I guess your command should list it also.
You can also configure the same in this way (which is the way I prefer doing it)
This IS NOT inserted under any "object"
nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ
- Jouni
08-17-2013 02:31 PM
Hi,
Yes, to my understanding the configuration you mention should work.
We have a firewall running that same software version and generally we have not faced any NAT related problems. Though we dont really use the Network Object NAT / Auto NAT to configure it.
Here is one Bug that seems to match your problem. Though the listed software refers to the ASASM modules starting software and not this software level. But can't be sure the Bug ID notes contain all the information
https://tools.cisco.com/bugsearch/bug/CSCty36464
Picture (click to enlarge)
- Jouni
08-17-2013 01:54 PM
Hi,
Can you rather post the output of
show run nat
Even though I guess your command should list it also.
You can also configure the same in this way (which is the way I prefer doing it)
This IS NOT inserted under any "object"
nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ
- Jouni
08-17-2013 02:20 PM
Hi,
ASA1(config)# object network MY-RANGE-OBJ
ASA1(config-network-object)#
ASA1(config-network-object)# range 172.16.1.100 172.16.1.120
ASA1(config-network-object)#
ASA1(config-network-object)# object network MY-INSIDE-NET
ASA1(config-network-object)#
ASA1(config-network-object)# subnet 10.0.0.0 255.255.255.0
ASA1(config-network-object)# nat
ASA1(config-network-object)# nat (is
ASA1(config-network-object)# nat (ins
ASA1(config-network-object)# nat (inside,o
ASA1(config-network-object)# nat (inside,outside) d
ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ
ASA1(config-network-object)# sh run nat
ASA1(config-network-object)# end
ASA1# sh run nat
ASA1#
ASA1#
ASA1# sh run | b obje
object network MY-RANGE-OBJ
range 172.16.1.100 172.16.1.120
object network MY-INSIDE-NET
subnet 10.0.0.0 255.255.255.0
access-list OUT extended permit icmp host 172.16.1.2 host 10.0.0.10
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
Any idea ?
You're right, below command works fine:
ASA1(config)# nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ
ASA1(config)# sh run nat
!
nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ
ASA1(config)#
By cisco doc the first version should work as well (
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1106144
), is it bug ?
Thanks!
08-17-2013 02:31 PM
Hi,
Yes, to my understanding the configuration you mention should work.
We have a firewall running that same software version and generally we have not faced any NAT related problems. Though we dont really use the Network Object NAT / Auto NAT to configure it.
Here is one Bug that seems to match your problem. Though the listed software refers to the ASASM modules starting software and not this software level. But can't be sure the Bug ID notes contain all the information
https://tools.cisco.com/bugsearch/bug/CSCty36464
Picture (click to enlarge)
- Jouni
08-17-2013 02:40 PM
Thanks for the bug details
cheers!
08-17-2013 02:41 PM
You can naturally try updating the software and see if that takes the problem away. I do remember testing the NAT configuration in the same way you attempted it in your original post and it has worked.
You could for example consider newer softwares in the same Major and Minor release. For example 8.4(5) or 8.4(6)
Here is a list of software leves and feature additions/changes in them
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide