Solved: Re: Cisco ASA + NAT Configuration

RS19 · ‎03-31-2020

I have Cisco ASA & below is the sequence of existing NAT.

nat(inside,outside) source 1.1.1.1 2.2.2.1
nat(inside,outside) source 1.1.1.2 2.2.2.2
nat(inside,outside) source 1.1.1.3 2.2.2.3
nat(inside,outside) source 1.1.1.4 2.2.2.4
nat(inside,outside) source dynamic any pat-ppol test-pool flat

I want to add the below NAT above the dymanic NAT configuration. How to do it ?

nat(inside,outside) source 1.1.1.5 2.2.2.5

If the above NAT is added below the dynamic NAT it will not be effective. Let me know how to do it.

Francesco Molino · ‎03-31-2020

Yes i tested it.
You can download asav and test it.
Don't know which version of asa you're running but even if you take an asav with a more recent version, nat is still the same configuration. This means you can put your config and test it before doing it into production.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-31-2020

Hi

your nat is missing the static keyword after source but I believe it's a copy/paste issue.

Anyways, if you do show nat, you will see a number before each nat.

ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static 1.1.1.1 2.2.2.1
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static 1.1.1.2 2.2.2.2
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static 1.1.1.3 2.2.2.3
    translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static 1.1.1.4 2.2.2.4
    translate_hits = 0, untranslate_hits = 0

So if you want to add your other nat, just run the command:

nat (inside,outside) 5 source static 1.1.1.5 2.2.2.5

In my example, I assumed you have only 4 nats which means the next one is going to be 5, that's why you see 5 before the source keyword.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RS19 · ‎03-31-2020

Thanks. Got it. It was typo mistake.

Will check the out of show nat to check the sequence number.

RS19 · ‎03-31-2020

I checked the show NAT & below is the existing sequence.

nat(inside,outside) source static 1.1.1.4 2.2.2.4 - Sequence 4
nat(inside,outside) source dynamic any pat-ppol test-pool flat - Sequence 5

So in this case how can i add it ?

Francesco Molino · ‎03-31-2020

Keep the sequence 5 and it will move the actual 5 to position 6 and insert the new one on position 5.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RS19 · ‎03-31-2020

Thanks.

So i need to add only the below command.

nat (inside,outside) 5 source static 1.1.1.5 2.2.2.5

Automatically the below NAT will take sequence no 6

nat(inside,outside) source dynamic any pat-ppol test-pool flat

Let me know if my understanding is right.

If the above is right, could you please share Cisco article which explain this

Francesco Molino · ‎03-31-2020

Yes you're understanding is correct.
There are multiple Documentation on Cisco website you can refer to for nat configuration.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

RS19 · ‎03-31-2020

Thanks. I don't have test environment to test it before configuring it in production.

So clarifying it.

Just confirming have you tested this any time in past or your in lab environment.

Francesco Molino · ‎03-31-2020

Yes i tested it.
You can download asav and test it.
Don't know which version of asa you're running but even if you take an asav with a more recent version, nat is still the same configuration. This means you can put your config and test it before doing it into production.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question