ASA NAT Question

cyoung1981 · ‎02-10-2019

I'm still figuring out NAT in the post 8.2 world. This question is a two parter. First. I have configured SSL VPN and and have the no nat setup like this.....

nat (inside,outside) source static INTERNAL INTERNAL destination static VPN VPN no-proxy-arp route-lookup

Since INTERNAL and VPN are object groups is static correct here? Or should it be dynamic?

Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?

object network SUB1
 range 1.1.1.1 1.1.1.250
!
object network SUB2
 range 2.2.2.1 2.2.2.250
!
object-group network ONE-ONE
 network-object object SUB1
network-object object SUB2
!
nat (inside,outside) source static ONE-ONE destination static ONE-ONE

or would it be like the no nat for vpn and be like this?

nat (inside,outside) source static ONE-ONE ONE-ONE destination static ONE-ONE ONE-ONE

or am i over thinking this and it really just needs to be?

object-group network ONE-ONE
nat static ONE-ONE

Mohammed al Baqari · ‎02-10-2019

You first statement is correct and for 2nd use the same vpn nat

Marius Gunnerud · ‎02-11-2019

Your identity NAT statement (aka no NAT) is correct.

Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?

I am not sure I understand what you are trying to achieve here. Are these public IPs configured on the ASAs themselves and are just to be routed through this internet firewall?

--
Please remember to select a correct answer and rate helpful posts