12-05-2018 09:21 AM - edited 02-21-2020 08:32 AM
Please explain this configuration. What kind of NAT is it using and how can I learn how to configure it?
nat(any,outside) source static OBJECT-GROUP-1 OBJECT-GROUP-1 destination static OBJECT-GROUP-2 OBJECT-GROUP-2 no-proxy-arp route-lookup
nat(any,outside) after-auto source dynamic any interface
Solved! Go to Solution.
12-05-2018 02:36 PM
the asa has 3 main categories of nat - manual nat, object nat (auto nat), and manual nat after auto
these are actually applied in sequential order like an acl
sh nat - will show the order of the rules
sh run nat - to see the actual nat config
this is using static nat - this entry is also known as nat exemption & is often used for vpn traffic
for traffic using any ingress interface & egressing the outside interface - this nat rule will apply
obj-grp 1 has a static mapping to itself only when the dest is obj-grp 2
cisco rec to use no-proxy-arp & route-lookup - so asa int wont send arp for next hop & will use route table for traffic
regards, mk
12-05-2018 12:42 PM - edited 12-05-2018 12:43 PM
There is a good document to understand please refer below document :
https://www.netcraftsmen.com/nat-configuration-on-asa-8-4-part-2/
12-05-2018 12:43 PM
When going out of the outside interface from OBJECT-GROUP-1 to OBJECT-GROUP-2, you don't do any NAT. For the rest of the traffic going out of interface outside you PAT (or hide-nat/masquerade) the source to the IP of the outside interface.
For learning more, Jounis intro is still a good read:
12-06-2018 07:10 AM - edited 12-06-2018 07:11 AM
This document you provided a link for was very helpful in providing an overview of the new NAT. Exactly what I was searching for.
This configuration I provided is for a VPN tunnel, so it seems the first statement is identity NAT, which is a variation of Twice NAT / Manual NAT, in Section 1. It's purpose appears to be to not do NAT for the traffic from the first object group to the second object group or backwards, i.e. "no NAT for either source or destination networks".
The second NAT statement appears to be dynamic PAT, implemented using Twice NAT / Manual NAT, in Section 3, and must serve to NAT traffic that is not contained in the object groups.
12-05-2018 02:36 PM
the asa has 3 main categories of nat - manual nat, object nat (auto nat), and manual nat after auto
these are actually applied in sequential order like an acl
sh nat - will show the order of the rules
sh run nat - to see the actual nat config
this is using static nat - this entry is also known as nat exemption & is often used for vpn traffic
for traffic using any ingress interface & egressing the outside interface - this nat rule will apply
obj-grp 1 has a static mapping to itself only when the dest is obj-grp 2
cisco rec to use no-proxy-arp & route-lookup - so asa int wont send arp for next hop & will use route table for traffic
regards, mk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide