02-27-2015 12:04 AM - edited 03-11-2019 10:34 PM
Hello,
I am looking for example which allow some of the IP's belongs to INSIDE which can allow to using PAT method to access Internet.
With reference to URL
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#pgfId-1455942
It is talking about the whole 192.168.2.0/24 subnet.
-------
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
02-27-2015 12:13 AM
Hi,
You might be better of limitin the mentioned hosts from connecting to the Internet in the interface ACL rather than making a special NAT configuration that determines if a host can connect to the Internet.
If you want to control which host gets NATed then you could use the Manual NAT / Twice NAT configuration instead of the above Auto NAT / Network Object NAT
Example could look something like this
object-group network PAT-SOURCE-HOSTS
network-object host <host1 ip>
network-object host <host2 ip>
network-object host <host3 ip>
nat (inside,outside) after-auto source dynamic PAT-SOURCE-HOSTS interface
You can then add the addresses directly under the "object-group" or remove them when needed.
You could naturally use small subnets instead of the host addresses in the above example if all the users are from a certain range of the subnet you mentioned. You will also have to make sure that there is no other NAT configuration on your ASA that would apply to the users.
The above Manual NAT / Twice NAT is at the lowest Section 3 (priority of NAT configuration) because it has "after-auto" as a part of the "nat" command.
Hope this helps :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide