ASA, Static NAT

RexPr · ‎02-21-2018

I’ve created a bridge group interface named inside and I've assigned it an IP (192.168.1.1).
Then I've created two interface inside_3 and inside_4, both assigned to the bridge group inside.

Now if I make a nat rule, for example nat (inside,outside) static interface service tcp 80 80,
a error is returned: I have to use nat (inside_3,outside) static interface service tcp 80 80,
but I don’t want apply nat rule to a specific interface, but at every interfaces of the same network (192.168.1.0/24, in my case, the entire bridge group, with interface_3 and interface_4).

How I can do this?
Thank, Fabrizio

Fabrizio www.rfc.it

Bogdan Nita · ‎02-22-2018

option 1:

configure 2 nat rules one having inside_3 specified and the other inside_4

option 2:

use any when specifying interface in the nat rule, if applicable

NAT with BVI interfaces have a couple of restrictions you need to keep in mind:

Configuring NAT on bridge group member interfaces (interfaces that are part of a Bridge Group Virtual Interface, or BVI) has the following restrictions:
- When configuring NAT for the members of a bridge group, you specify the member interface. You cannot configure NAT for the bridge group interface (BVI) itself.
- When doing NAT between bridge group member interfaces, you must specify the real and mapped addresses. You cannot specify “any” as the interface.
- You cannot configure interface PAT when the mapped address is a bridge group member interface, because there is no IP address attached to the interface.
- You cannot translate between IPv4 and IPv6 networks (NAT64/46) when the source and destination interfaces are members of the same bridge group. Static NAT/PAT 44/66, dynamic NAT44/66, and dynamic PAT44 are the only allowed methods; dynamic PAT66 is not supported.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/firewall/asa-97-firewall-config/nat-basics.html

HTH

Bogdan