Dynamic nat entire group

dan.letkeman · ‎09-30-2013

Hello,

Is there any way to setup dynamic nat for an entire group without having to setup dynamic nat for every single network?

For example,

network a: 10.168.32.0/24

network b: 10.184.32.0/24

network c: 10.16.38.0/24

I want to setup dynamic nat for all of these subnets at one time.

Of couse I have more than 3, more like 200 of them, so I don't want to have to setup dynamic nat individually.

Thanks,

Dan.

Jouni Forss · ‎09-30-2013

Hi,

The actual format and possibilities depends on what software your firewall is running.

On software level 8.2 and below you could do Dynamic PAT for all networks with following configuration

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

I guess if you had more LAN/DMZ interfaces than just the "inside" then you should add a similiar "nat" statement for those interfaces too.

With "inside" and "dmz" interfaces the complete configuration could look like this

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

If your software level is 8.3 or above you have a bit more possibilities and you can handle Dynamic PAT for all users in a single command

nat (any,outside) after-auto source dynamic any interface

The above will do Dynamic PAT for users behind "any" interface with "any" source address and will use the "outside" interface as the Dynamic PAT IP address.

I personally tend to specify the networks in the actual NAT configuration rather than allow any source address.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

dan.letkeman · ‎09-30-2013

Version 9.1

Any to outside nat configurations won't work in my case. I am specifing spearate exteral ip addresses for diferent groups. So I have to specify that somehow, which is why I specify it in the object. It just seems odd that you can create groups, but really you can't do anything with them.

Dan.

Jouni Forss · ‎09-30-2013

Hi,

Well if you want to perform Dynamic PAT to different public IP addresses based on source interface for example then you could do it in the following way

object network INSIDE-PAT

host 1.1.1.1

object network DMZ-PAT

host 1.1.1.2

nat (inside,outside) after-auto source dynamic any INSIDE-PAT

nat (dmz,outside) after-auto source dynamic any DMZ-PAT

You could follow the above logic that applies to your network setup.

Ofcourse if you have only one source interface but several different networks or groups of networks that you want to use different PAT IP addresses then you would have to create the source address group for those networks

For example

object network PRODUCTION-PAT

host 1.1.1.1

object network TESTING-PAT

host 1.1.1.2

object-group network PRODUCTION-NETWORKS

network-object 10.10.0.0 255.255.0.0

network-object 10.20.0.0 255.255.0.0

object-group network TESTING-NETWORKS

network-object 10.30.0.0 255.255.0.0

network-object 10.40.0.0 255.255.0.0

nat (inside,outside) after-auto source dynamic PRODUCTION-NETWORKS PRODUCTION-PAT

nat (inside,outside) after-auto source dynamic TESTING-NETWORKS TESTING-PAT

or was it something else that you were after?

- Jouni