Solved: ASA in front of multiple subnets

JaseJK · ‎12-22-2021

Hello all.

This might be me just being simple but how do you NAT multiple subnets behind an ASA ?

For example I have subnets 192.168.0.0-192.168.5.0/24

for 192.168.0.0/24 I do

object network net192.168.0.0
 nat (inside,outside) dynamic interface

which ofc routes all 192.168.0.0 traffic fine.

to include all the rest of the subnets

I tried

object-group network AllLANS
 network-object object net192.168.0.0
 network-object object net192.168.1.0
..

object network ALLLANS
 nat (inside,outside) dynamic interface

When ever I try to NAT this with anything else than only 0.0.0.0 in AllLANS I get an error from the ASA.

the only way I have been able to make it work is make AllLANS 0.0.0.0 0.0.0.0

While it works I'd like to be able to be more specific in NAT rules not to open everything.

Thank you...

edit:

ASA 5516 running 9.16(2)

Marius Gunnerud · ‎12-22-2021

You are creating an object-group but then create the NAT using a regular network object which is not defined. You cannot use the same method for NAT when using object-group.

You would need to use a command like the following

nat (inside,outside) after-auto source dynamic AllLANS interface

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-22-2021

You are creating an object-group but then create the NAT using a regular network object which is not defined. You cannot use the same method for NAT when using object-group.

You would need to use a command like the following

nat (inside,outside) after-auto source dynamic AllLANS interface

--
Please remember to select a correct answer and rate helpful posts

JaseJK · ‎12-23-2021

I had a feeling it was me just being simple. Thank you very much.