Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
2
Replies

Basic NAT Question

Go to solution
mbaker33
Level 1
Level 1

‎12-09-2013 09:49 AM - edited ‎03-11-2019 08:15 PM

Hello,

I'm new to the new NAT statements in the ASA configs.  I've held off as long as I could, and now I am configuring a shiny new ASA 5525-X to replace our older 5520.  Alas, I cannot hold off any more.

My question is, when I upgraded our ASA 5520 to 8.4.3, it converted old NAT to the new format for me.  The issue comes where we have the same network natted twice.  Once, it is NAT'd to another internal interface, and the other, it is NAT'd to the external interface of the ASA for internet access.  Is it possible to have one object network line, with the two different NAT statements under it?  Or are two objects required?

Here's the code example:

Existing:

object network obj-10.10.0.0

nat (inside,dmz) static 10.10.0.0

object network obj-10.10.0.0-01

nat (inside,outside) dynamic interface

I would like something like this if possible.:

object network obj-10.10.0.0

nat (inside,dmz) static 10.10.0.0

nat (inside,outside) dynamic interface

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-09-2013 09:57 AM

Hi,

You WONT be able to have multiple "nat" statement under one "object network"

Its one "nat" command per "object"

The bad thing about letting the ASA convert the configuration is that it leaves a lot of useless configurations.

For example your first NAT configuration seems like a Static Identity NAT. Essentially it translates the address to itself between 2 interfaces of the ASA.

object network obj-10.10.0.0

nat (inside,dmz) static 10.10.0.0

In general you wont need such configurations on the new software as the ASA doesnt require you to have NAT between the interface if you dont want to have.

Though I can't tell you if you need this NAT configurations because there might be some other configuration present that would start NATing the source network if this wasnt present. A possible scenario might be that if you had some kind of Dynamic PAT/NAT between "inside" and "dmz".

If you want to look at some information about the new NAT format then I would suggest having a look at a document I wrote here:

https://supportforums.cisco.com/docs/DOC-31116

There is also a good document comparing the new and old format here:

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-09-2013 09:57 AM

Hi,

You WONT be able to have multiple "nat" statement under one "object network"

Its one "nat" command per "object"

The bad thing about letting the ASA convert the configuration is that it leaves a lot of useless configurations.

For example your first NAT configuration seems like a Static Identity NAT. Essentially it translates the address to itself between 2 interfaces of the ASA.

object network obj-10.10.0.0

nat (inside,dmz) static 10.10.0.0

In general you wont need such configurations on the new software as the ASA doesnt require you to have NAT between the interface if you dont want to have.

Though I can't tell you if you need this NAT configurations because there might be some other configuration present that would start NATing the source network if this wasnt present. A possible scenario might be that if you had some kind of Dynamic PAT/NAT between "inside" and "dmz".

If you want to look at some information about the new NAT format then I would suggest having a look at a document I wrote here:

https://supportforums.cisco.com/docs/DOC-31116

There is also a good document comparing the new and old format here:

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps

- Jouni

0 Helpful

Go to solution
mbaker33
Level 1
Level 1
In response to Jouni Forss

‎12-10-2013 06:37 AM

Thank you Jouni,

I suspected that was the case, but I am trying to keep the config clean.  The new NAT methods are so different, I'll read your links and hopefully make sense of it.  I believe the two config examples I gave are both necessary.  One allows communication to our DMZ, and the other is our Global NAT to the internet from what I understand.

Again, thanks for the info.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card