Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2356
Views
0
Helpful
4
Replies

ASA 8.4 NAT subnets?

swagoner1
Level 1
Level 1

ā€Ž05-22-2012 08:58 AM - edited ā€Ž03-11-2019 04:09 PM

Need to setup some static NATs for some networks and IP ranges. Rather than setting up 50+ individual NAT rules I'm thinking 8.3 or 8.4 supports snat for networks?

Example

73.11.200.88/29 and 192.168.0.64/29

so

73.11.200.88 would always be static NAT for 192.168.0.64

73.11.200.89 would always be static NAT for 192.168.0.65

73.11.200.90 would always be static NAT for 192.168.0.66

Am I correct that this can be done with 1 NAT rule instead of multiple?

Can it also be done with object groups? Assuming the number of objects in each group is the same.

Thanks for the time.

Labels:
0 Helpful
4 Replies 4

siddhartham
Level 4
Level 4

ā€Ž05-22-2012 10:10 AM

I believe you can't achieve the below with one statement, you have to create an object group for each static NAT

73.11.200.88 would always be static NAT for 192.168.0.64

73.11.200.89 would always be static NAT for 192.168.0.65

73.11.200.90 would always be static NAT for 192.168.0.66

object network ip-1

host 192.168.0.64

nat (dmz,outside) static 73.11.200.88

object network ip-2

host 192.168.0.65

nat (dmz,outside) static 73.11.200.89

object network ip-3

host 192.168.0.66

nat (dmz,outside) static 73.11.200.90

Siddhartha
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

ā€Ž05-22-2012 10:18 AM

Hello,

As Sid says there is no way you can do a static nat like that, unless you do like ( subnet to subnet object)

192.168.1.1-73.11.200.1

192.168.1.2-73.11.200.2

192.168.1.3-73.11.200.3

but not the way you want it...

Regards,

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

swagoner1
Level 1
Level 1
In response to Julio Carvajal

ā€Ž05-22-2012 10:22 AM

You mean if they were both identical like 73.11.200.88/29 and 192.168.0.88/29?

Then the ASA would automatically assign .88 to .88, and .89 to .89, etc?

Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to swagoner1

ā€Ž05-22-2012 10:35 AM

Hello,

Here is the example that will explain it to you.. This is on 8.2

static (inside,outside) 4.0.0.0 192.168.12..0 netmask 255.255.255.0

Like this the ASA will do a one to one mapping.

This is what you will need to do on 8.4 as well, how do you do it using the same  ( subnets)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card