06-26-2013 05:44 AM - edited 03-11-2019 07:03 PM
Hi,
We have started to use a number of ASA5512x running 8.6(1)2, the general coding seems OK and the systems are running well. I am now trying to mimic the dynamic NAT/PAT configuration from an ASA running 8.2(5).
We use dynamic NAT/PAT for a number of systems that require external access to particuar systems using specified ports, the configuration is based on the
nat (inside) 1 access-list PAT-LIST
The PAT-LIST acl is then made up of object groups for source, destination and ports.
object-group network pat-dc-web-test-allowed
network-object host x.x.x.10
network-object host x.x.x.11
object-group service web-access tcp
port-object eq www
port-object eq https
access-list PAT-LIST extended permit tcp object-group pat-dc-web-test-allowed any object-group web-access
This will then permit source systems access to destination systems using the ASA external address
Please could someone point me in the right direction or assist in showing how the above would work in the new NAT style
Thank You
Cheers
Nick
Solved! Go to Solution.
06-26-2013 07:28 AM
Hi,
You could use this type of configuration
object-group network SOURCE
network-object host 10.10.10.10
network-object host 10.10.10.11
network-object host 10.10.10.12
network-object host 10.10.10.13
network-object host 10.10.10.14
object service WWW
service tcp destination eq 80
object service HTTPS
service tcp destination eq 443
nat (inside,outside) source dynamic SOURCE interface service WWW WWW
nat (inside,outside) source dynamic SOURCE interface service HTTPS HTTPS
OR
nat (inside,outside) after-auto source dynamic SOURCE interface service WWW WWW
nat (inside,outside) after-auto source dynamic SOURCE interface service HTTPS HTTPS
Depending on your current NAT configurations in addition to these you might want to use first or second option of NAT configuration type above. The only real difference is the in the priority of the NAT configuration.
The first configuration would insert the NAT configurations pretty much at the top of the NAT rules of the ASA. You could add the number "1" also after the ")" mark to add it at the very top.
The second configuration would add the NAT configuration to the very bottom of the NAT rules of your ASA. For example Network Object NAT could override this configuration.
Depending on the NAT configuration currently on your ASA could affect if the configuration works or not.
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-26-2013 07:28 AM
Hi,
You could use this type of configuration
object-group network SOURCE
network-object host 10.10.10.10
network-object host 10.10.10.11
network-object host 10.10.10.12
network-object host 10.10.10.13
network-object host 10.10.10.14
object service WWW
service tcp destination eq 80
object service HTTPS
service tcp destination eq 443
nat (inside,outside) source dynamic SOURCE interface service WWW WWW
nat (inside,outside) source dynamic SOURCE interface service HTTPS HTTPS
OR
nat (inside,outside) after-auto source dynamic SOURCE interface service WWW WWW
nat (inside,outside) after-auto source dynamic SOURCE interface service HTTPS HTTPS
Depending on your current NAT configurations in addition to these you might want to use first or second option of NAT configuration type above. The only real difference is the in the priority of the NAT configuration.
The first configuration would insert the NAT configurations pretty much at the top of the NAT rules of the ASA. You could add the number "1" also after the ")" mark to add it at the very top.
The second configuration would add the NAT configuration to the very bottom of the NAT rules of your ASA. For example Network Object NAT could override this configuration.
Depending on the NAT configuration currently on your ASA could affect if the configuration works or not.
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-26-2013 07:35 AM
Hi Jouni,
Thank you for your prompt response, I will give it a go a bit later and let you know the outcome.
Thank you again
Cheers
06-28-2013 08:37 AM
Hi,
Thank you, I have now tested your configuration and all appears to work when combining the nat with interface ACL's defining the destination addresses.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide