05-23-2015 08:50 AM - edited 03-11-2019 10:59 PM
Hello,
Ive been trying to get a better understanding of Auto NAT (objectNAT) and Manual NAT by configuring it on an ASA.
I noticed that if I configure AutoNAT (object NAT) as below the NAT rule appears in section 2 Auto NAT.
ciscoasa(config-network-object)# sh run object
object network pat-pool-100-110*******PAT Pool config******
range 10.10.10.100 10.10.10.110
object network 10-10-3-0*******Source Subnet config******
subnet 10.10.3.0 255.255.255.0
ciscoasa(config)# object network 10-10-3-0
ciscoasa(config-network-object)#
ciscoasa(config-network-object)# nat dynamic pat-pool-100-110
ciscoasa(config-network-object)# sh nat
Auto NAT Policies (Section 2)
1 (any) to (any) source dynamic 10-10-3-0 pat-pool-100-110
translate_hits = 0, untranslate_hits = 0
ciscoasa(config-network-object)#
The above result is what Id expect from the applied configuration.
However if I try and configure Auto NAT (objectNAT) as below and specify the interfaces the NAT rule is placed in
section 1 (manual NAT). Just wondering if this is expected behavior or if Im not configuring something correctly?
I was thinking this should show up in section 2 also.
ciscoasa(config)# object network 10-10-3-0
ciscoasa(config-network-object)#nat (inside,outside) source dynamic 10-10-3-0 pat-pool-100-110
ciscoasa(config-network-object)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic 10-10-3-0 pat-pool-100-110
translate_hits = 0, untranslate_hits = 0
Any guidance would be appreciated.
Thanks
Andy
Solved! Go to Solution.
05-23-2015 09:53 AM
Yes, the syntax a bit confusing ...
You configure the nat-rule in object-mode, but use the syntax for manual nat. Because of that, the nat rule is placed into section 1.
If you want it to be an object-nat rule, you can't use the keyword "source" as object-nat is always source-nat:
object network 10-10-3-0 nat (inside,outside) dynamic ...
You can see the difference with the interactive help:
asa(config-network-object)# nat (inside,outside) ? network-object mode commands/options: dynamic Specify NAT type as dynamic static Specify NAT type as static configure mode commands/options: <1-2147483647> Position of NAT rule within before auto section after-auto Insert NAT rule after auto section source Source NAT parameters asa(config-network-object)# nat (inside,outside)
Only if you use the "network-object" keywords, you configure object-nat. If you use the "configure mode" keywords, it will be a manual nat-rule.
05-23-2015 09:53 AM
Yes, the syntax a bit confusing ...
You configure the nat-rule in object-mode, but use the syntax for manual nat. Because of that, the nat rule is placed into section 1.
If you want it to be an object-nat rule, you can't use the keyword "source" as object-nat is always source-nat:
object network 10-10-3-0 nat (inside,outside) dynamic ...
You can see the difference with the interactive help:
asa(config-network-object)# nat (inside,outside) ? network-object mode commands/options: dynamic Specify NAT type as dynamic static Specify NAT type as static configure mode commands/options: <1-2147483647> Position of NAT rule within before auto section after-auto Insert NAT rule after auto section source Source NAT parameters asa(config-network-object)# nat (inside,outside)
Only if you use the "network-object" keywords, you configure object-nat. If you use the "configure mode" keywords, it will be a manual nat-rule.
05-23-2015 10:46 AM
Thanks Karsten,
That was it. When I added the word dynamic after the(inside,outside) then the nat rule was added to section 2.
Thanks for your help.
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide