02-10-2019 11:16 AM - edited 02-21-2020 08:47 AM
I'm still figuring out NAT in the post 8.2 world. This question is a two parter. First. I have configured SSL VPN and and have the no nat setup like this.....
nat (inside,outside) source static INTERNAL INTERNAL destination static VPN VPN no-proxy-arp route-lookup
Since INTERNAL and VPN are object groups is static correct here? Or should it be dynamic?
Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?
object network SUB1 range 1.1.1.1 1.1.1.250 ! object network SUB2 range 2.2.2.1 2.2.2.250 ! object-group network ONE-ONE network-object object SUB1 network-object object SUB2 ! nat (inside,outside) source static ONE-ONE destination static ONE-ONE
or would it be like the no nat for vpn and be like this?
nat (inside,outside) source static ONE-ONE ONE-ONE destination static ONE-ONE ONE-ONE
or am i over thinking this and it really just needs to be?
object-group network ONE-ONE nat static ONE-ONE
02-10-2019 09:36 PM
02-11-2019 07:59 AM
Your identity NAT statement (aka no NAT) is correct.
Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?
I am not sure I understand what you are trying to achieve here. Are these public IPs configured on the ASAs themselves and are just to be routed through this internet firewall?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide