Hi Thanks for responce , please check configs...

Hi,

I am not sure which NAT configuration was the one you had problem with.

You did mention that you were wondering how a Policy NAT would be configured where we for example had a certain source LAN network which was connecting to some REMOTE network and that traffic needed to use the interface IP address of the "outside".

The configuration would look a lot like the NAT0 / NAT Exempt you have. By the way, you have used the "show nat" command above while the output of "show run nat" would show the actual configuration format. Then again it wouldnt show the networks/addresses of the NAT configurations like the above.

So here is one example

• Source network 10.10.10.0/24
• Destination network 192.168.10.0/24
• Translate to "outside" interface IP address with Dynamic PAT

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) source dynamic LAN interface destination static REMOTE REMOTE

or

nat (inside,outside) after-auto source dynamic LAN interface destination static REMOTE REMOTE

So in the above we can see that

• We are doing NAT between "inside" and "outside"
• The Real Source is defined under "object network LAN"
• The Mapped Source is defined with the use of parameter "interface" which tells the ASA to map the source addresses to the "outside" interface in this case
• The destination parameters tells us that this NAT only applies to traffic destined for the network under "object network REMOTE". And because both the Real and Mapped destination address is the same then there is no translation for the destination network.

If you let say had multiple source and destination networks then you could do this

object-group network LAN

subnet 10.10.10.0 255.255.255.0

subnet 10.10.20.0 255.255.255.0

object-group network REMOTE

subnet 192.168.10.0 255.255.255.0

subnet 192.168.20.0 255.255.255.0

nat (inside,outside) source dynamic LAN interface destination static REMOTE REMOTE

or

nat (inside,outside) after-auto source dynamic LAN interface destination static REMOTE REMOTE

So basically you would need to use "object-group network" instead of "object network". The simple reason is the fact that an "object network" can only handle a single subnet/host/range configuration WHILE the "object-group network" can hold several network/host addresses.

The "after-auto" option for both above examples is just a parameter that would move this NAT rule to a lower priorty where it wouldnt override possible Static NAT configurations and such. Without the parameter it might override other NAT configurations.

I would suggest avoid using "any" in the new NAT format configuration much. This might cause problems with the firewalls traffic forwarding. I'd rather specify the source networks under an "object-group network" instead of using "any"

- Jouni

Hi thanks alot but i think i did it same way yourself advised ...mine is after object manueal nat

(inside) to (outside) source dynamic 10subnet translatedtopublicsubnet   destination static dest1 dest1

....thanks for advise on any i will start triming it down ....but real issue iam having is to figure out two things....where do we use static and where dynamic as to exempt vpn subnets from nat we used static sinc eit was whole subnet range i was expacing dynamic to be used ?.. and also i have rule in 8.2 on inisde interface which is dynmic  with source any dest nothing and then translated section under interface its inside and under address its inside...very next rule on inside interface is almost same with source any destination nothing translated outside and address outside....not sure wt tis means...is its saying evefrything elese coming from inside to outside translate it to outside intreface lil confuse about both rule...cheers