cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2499
Views
0
Helpful
3
Replies
nick.chalker
Beginner

Cisco ASA 8.6 Dynamic NAT/PAT Help

Hi,

We have started to use a number of ASA5512x running 8.6(1)2, the general coding seems OK and the systems are running well. I am now trying to mimic the dynamic NAT/PAT configuration from an ASA running 8.2(5).

We use dynamic NAT/PAT for a number of systems that require external access to particuar systems using specified ports, the configuration is based on the

nat (inside) 1 access-list PAT-LIST

The PAT-LIST acl is then made up of object groups for source, destination and ports.

object-group network pat-dc-web-test-allowed

network-object host x.x.x.10

network-object host x.x.x.11

object-group service web-access tcp

port-object eq www

port-object eq https

access-list PAT-LIST extended permit tcp object-group pat-dc-web-test-allowed any object-group web-access

This will then permit source systems access to destination systems using the ASA external address

Please could someone point me in the right direction or assist in showing how the above would work in the new NAT style

Thank You

Cheers

Nick

1 ACCEPTED SOLUTION

Accepted Solutions
Jouni Forss
Mentor

Hi,

You could use this type of configuration

object-group network SOURCE

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

network-object host 10.10.10.13

network-object host 10.10.10.14

object service WWW

service tcp destination eq 80

object service HTTPS

service tcp destination eq 443

nat (inside,outside) source dynamic SOURCE interface service WWW WWW

nat (inside,outside) source dynamic SOURCE interface service HTTPS HTTPS

OR

nat (inside,outside) after-auto source dynamic SOURCE interface service WWW WWW

nat (inside,outside) after-auto source dynamic SOURCE interface service HTTPS HTTPS

Depending on your current NAT configurations in addition to these you might want to use first or second option of NAT configuration type above. The only real difference is the in the priority of the NAT configuration.

The first configuration would insert the NAT configurations pretty much at the top of the NAT rules of the ASA. You could add the number "1" also after the ")" mark to add it at the very top.

The second configuration would add the NAT configuration to the very bottom of the NAT rules of your ASA. For example Network Object NAT could override this configuration.

Depending on the NAT configuration currently on your ASA could affect if the configuration works or not.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

3 REPLIES 3
Jouni Forss
Mentor

Hi,

You could use this type of configuration

object-group network SOURCE

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

network-object host 10.10.10.13

network-object host 10.10.10.14

object service WWW

service tcp destination eq 80

object service HTTPS

service tcp destination eq 443

nat (inside,outside) source dynamic SOURCE interface service WWW WWW

nat (inside,outside) source dynamic SOURCE interface service HTTPS HTTPS

OR

nat (inside,outside) after-auto source dynamic SOURCE interface service WWW WWW

nat (inside,outside) after-auto source dynamic SOURCE interface service HTTPS HTTPS

Depending on your current NAT configurations in addition to these you might want to use first or second option of NAT configuration type above. The only real difference is the in the priority of the NAT configuration.

The first configuration would insert the NAT configurations pretty much at the top of the NAT rules of the ASA. You could add the number "1" also after the ")" mark to add it at the very top.

The second configuration would add the NAT configuration to the very bottom of the NAT rules of your ASA. For example Network Object NAT could override this configuration.

Depending on the NAT configuration currently on your ASA could affect if the configuration works or not.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

Hi Jouni,

Thank you for your prompt response, I will give it a go a bit later and let you know the outcome.

Thank you again

Cheers

Hi,

Thank you, I have now tested your configuration and all appears to work when combining the nat with interface ACL's defining the destination addresses.

Thank you.

Create
Recognize Your Peers
Content for Community-Ad