Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2694
Views
0
Helpful
3
Replies

Cisco ASA 8.6 Dynamic NAT/PAT Help

Go to solution
nick.chalker
Level 1
Level 1

‎06-26-2013 05:44 AM - edited ‎03-11-2019 07:03 PM

Hi,

We have started to use a number of ASA5512x running 8.6(1)2, the general coding seems OK and the systems are running well. I am now trying to mimic the dynamic NAT/PAT configuration from an ASA running 8.2(5).

We use dynamic NAT/PAT for a number of systems that require external access to particuar systems using specified ports, the configuration is based on the

nat (inside) 1 access-list PAT-LIST

The PAT-LIST acl is then made up of object groups for source, destination and ports.

object-group network pat-dc-web-test-allowed

network-object host x.x.x.10

network-object host x.x.x.11

object-group service web-access tcp

port-object eq www

port-object eq https

access-list PAT-LIST extended permit tcp object-group pat-dc-web-test-allowed any object-group web-access

This will then permit source systems access to destination systems using the ASA external address

Please could someone point me in the right direction or assist in showing how the above would work in the new NAT style

Thank You

Cheers

Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-26-2013 07:28 AM

Hi,

You could use this type of configuration

object-group network SOURCE

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

network-object host 10.10.10.13

network-object host 10.10.10.14

object service WWW

service tcp destination eq 80

object service HTTPS

service tcp destination eq 443

nat (inside,outside) source dynamic SOURCE interface service WWW WWW

nat (inside,outside) source dynamic SOURCE interface service HTTPS HTTPS

OR

nat (inside,outside) after-auto source dynamic SOURCE interface service WWW WWW

nat (inside,outside) after-auto source dynamic SOURCE interface service HTTPS HTTPS

Depending on your current NAT configurations in addition to these you might want to use first or second option of NAT configuration type above. The only real difference is the in the priority of the NAT configuration.

The first configuration would insert the NAT configurations pretty much at the top of the NAT rules of the ASA. You could add the number "1" also after the ")" mark to add it at the very top.

The second configuration would add the NAT configuration to the very bottom of the NAT rules of your ASA. For example Network Object NAT could override this configuration.

Depending on the NAT configuration currently on your ASA could affect if the configuration works or not.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-26-2013 07:28 AM

Hi,

You could use this type of configuration

object-group network SOURCE

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

network-object host 10.10.10.13

network-object host 10.10.10.14

object service WWW

service tcp destination eq 80

object service HTTPS

service tcp destination eq 443

nat (inside,outside) source dynamic SOURCE interface service WWW WWW

nat (inside,outside) source dynamic SOURCE interface service HTTPS HTTPS

OR

nat (inside,outside) after-auto source dynamic SOURCE interface service WWW WWW

nat (inside,outside) after-auto source dynamic SOURCE interface service HTTPS HTTPS

Depending on your current NAT configurations in addition to these you might want to use first or second option of NAT configuration type above. The only real difference is the in the priority of the NAT configuration.

The first configuration would insert the NAT configurations pretty much at the top of the NAT rules of the ASA. You could add the number "1" also after the ")" mark to add it at the very top.

The second configuration would add the NAT configuration to the very bottom of the NAT rules of your ASA. For example Network Object NAT could override this configuration.

Depending on the NAT configuration currently on your ASA could affect if the configuration works or not.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

0 Helpful

Go to solution
nick.chalker
Level 1
Level 1
In response to Jouni Forss

‎06-26-2013 07:35 AM

Hi Jouni,

Thank you for your prompt response, I will give it a go a bit later and let you know the outcome.

Thank you again

Cheers

0 Helpful

Go to solution
nick.chalker
Level 1
Level 1
In response to Jouni Forss

‎06-28-2013 08:37 AM

Hi,

Thank you, I have now tested your configuration and all appears to work when combining the nat with interface ACL's defining the destination addresses.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card