12-09-2013 09:49 AM - edited 03-11-2019 08:15 PM
Hello,
I'm new to the new NAT statements in the ASA configs. I've held off as long as I could, and now I am configuring a shiny new ASA 5525-X to replace our older 5520. Alas, I cannot hold off any more.
My question is, when I upgraded our ASA 5520 to 8.4.3, it converted old NAT to the new format for me. The issue comes where we have the same network natted twice. Once, it is NAT'd to another internal interface, and the other, it is NAT'd to the external interface of the ASA for internet access. Is it possible to have one object network line, with the two different NAT statements under it? Or are two objects required?
Here's the code example:
Existing:
object network obj-10.10.0.0
nat (inside,dmz) static 10.10.0.0
object network obj-10.10.0.0-01
nat (inside,outside) dynamic interface
I would like something like this if possible.:
object network obj-10.10.0.0
nat (inside,dmz) static 10.10.0.0
nat (inside,outside) dynamic interface
Solved! Go to Solution.
12-09-2013 09:57 AM
Hi,
You WONT be able to have multiple "nat" statement under one "object network"
Its one "nat" command per "object"
The bad thing about letting the ASA convert the configuration is that it leaves a lot of useless configurations.
For example your first NAT configuration seems like a Static Identity NAT. Essentially it translates the address to itself between 2 interfaces of the ASA.
object network obj-10.10.0.0
nat (inside,dmz) static 10.10.0.0
In general you wont need such configurations on the new software as the ASA doesnt require you to have NAT between the interface if you dont want to have.
Though I can't tell you if you need this NAT configurations because there might be some other configuration present that would start NATing the source network if this wasnt present. A possible scenario might be that if you had some kind of Dynamic PAT/NAT between "inside" and "dmz".
If you want to look at some information about the new NAT format then I would suggest having a look at a document I wrote here:
https://supportforums.cisco.com/docs/DOC-31116
There is also a good document comparing the new and old format here:
https://supportforums.cisco.com/docs/DOC-9129
Hope this helps
- Jouni
12-09-2013 09:57 AM
Hi,
You WONT be able to have multiple "nat" statement under one "object network"
Its one "nat" command per "object"
The bad thing about letting the ASA convert the configuration is that it leaves a lot of useless configurations.
For example your first NAT configuration seems like a Static Identity NAT. Essentially it translates the address to itself between 2 interfaces of the ASA.
object network obj-10.10.0.0
nat (inside,dmz) static 10.10.0.0
In general you wont need such configurations on the new software as the ASA doesnt require you to have NAT between the interface if you dont want to have.
Though I can't tell you if you need this NAT configurations because there might be some other configuration present that would start NATing the source network if this wasnt present. A possible scenario might be that if you had some kind of Dynamic PAT/NAT between "inside" and "dmz".
If you want to look at some information about the new NAT format then I would suggest having a look at a document I wrote here:
https://supportforums.cisco.com/docs/DOC-31116
There is also a good document comparing the new and old format here:
https://supportforums.cisco.com/docs/DOC-9129
Hope this helps
- Jouni
12-10-2013 06:37 AM
Thank you Jouni,
I suspected that was the case, but I am trying to keep the config clean. The new NAT methods are so different, I'll read your links and hopefully make sense of it. I believe the two config examples I gave are both necessary. One allows communication to our DMZ, and the other is our Global NAT to the internet from what I understand.
Again, thanks for the info.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide