Cisco ASA both NAT and PAT

nlg-networks123 · ‎04-11-2019

Hi experts.

I have a Cisco ASA 5515 where we have several static NAT's, some from the DMZ to outside, and some from inside to outside.

I have a requirement to configure PAT for some inside to outside traffic, however I am nervous of affecting the existing 1-1 NATs.

Using the ASDM I can select the source address range, however for the destination I find the ASA will not accept the object as an FQDN, it needs to be a specified address range.

Also of note is proxy-arp is enabled which I understand is helpful for the NAT function?

Hoping for some good general advice - I don't have a test environment so am a little nervous!

With regards

Dave

balaji.bandi · ‎04-11-2019

that is normal in most of the FW config, that is standard every organization.

We need to only need to look place the Right NAT Rule in right order with out breaking the live system.

So suggest to post the config, and explain the goal of the IP you like to PAT. so we can look and suggest best we can.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim · ‎04-11-2019

use the section 3 of the NAT.

it would be some thing like this.

object network INSIDE

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) after-auto source dynamic any interface

please do not forget to rate.

GRANT3779 · ‎04-11-2019

If you wanted to get a clear understanding on the order of NATs for ASA there is a great document that can be found here that will hopefully answer any queries you have. It was put together by @Jouni Forss and will help visualise the NAT types and order they are processed etc. It is very good.

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050