03-19-2013 01:12 PM - edited 03-11-2019 06:16 PM
Some how I have ended up with multiple network objects for the same network example
obj-192.168.1.0
obj-192.168.1.0-1
obj-192.168.1.0-2
All are for the same network but have different nat statements. When I look at my NAT statements I have a bunch of manual NAT and Network object NAT rules. I'm pretty confussed on the two. Should I just have one auto nat statement for each object? Then if I need another NAT statement for the same network make it a manual nat?
03-19-2013 01:21 PM
Hi,
I would have been interested to know what exact NAT configurations all those objects hold?
To be honest in a very basic setup I have NO Object Network NAT configurations for whole networks (Only for single hosts Static NAT/PAT configurations)
For example, the very basic NAT configurations
Default PAT for Internet Traffic
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.1.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
Static NAT for single host
object network STATIC
host 192.168.1.10
nat (inside,outside) static 1.1.1.1
NAT0 / NAT Exemption / Identity NAT for L2L VPN connection or VPN Client
object network LAN
subnet 192.168.1.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
Could say much more if I saw the NAT configurations and the corresponding address information under the objects.
- Jouni
03-19-2013 01:54 PM
I have a lot like this
object network obj-172.16.0.0-04
subnet 172.16.0.0 255.254.0.0
object network obj-172.16.0.0-04
nat (inside,GC) static 172.16.0.0
object network obj-172.16.0.0-05
subnet 172.16.0.0 255.254.0.0
object network obj-172.16.0.0-05
nat (inside,TM) static 172.16.0.0
So when I look at my network objects I have a several like each have an auto nat with the object. What is best practice?
obj-172.16.0.0-01
obj-172.16.0.0-02
obj-172.16.0.0-03
obj-172.16.0.0-04
03-19-2013 02:04 PM
Would I be correct to presume you have updated/upgraded the ASA software from pre 8.3 to post 8.3 by letting the ASA convert the configuration by itself and not actual write the configurations yourself?
If that is true then it would seem to me that these configurations might be the 8.3 (and later) softwares way of doing Identity NAT between your local ASA interfaces. (Which can also be done with Twice NAT / Manual NAT)
I would for example guess that the following configuration
object network obj-172.16.0.0-05
subnet 172.16.0.0 255.254.0.0
nat (inside,TM) static 172.16.0.0
Before was this
static (inside,TM) 172.16.0.0 172.16.0.0 netmask 255.254.0.0
In the new software 8.3+ if you have local LAN and DMZ interfaces on the ASA which dont require NAT between them, you can simply leave out the NAT configurations. So if your purpose is to enable communication between local interfaces wihtout modifying the source or destination address then I would leave out all those NAT configurations.
In the very basic setups you only really need to perform NAT between the local and public interfaces. The new ASA software doesnt have any "nat-control" anymore. If there is no NAT rule for the traffic incoming to the ASA then the ASA will simply pass it along without NAT.
- Jouni
03-19-2013 02:19 PM
Yep I have upgraded from pre 8.3. I always wondered why I needed all these nat statments, guess I don't need all of them anymore. Good news thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide