Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
3
Replies

NAT 8.6 multiple subnets in a single static NAT

Go to solution
Andrey Calderon
Level 1
Level 1

‎11-27-2013 07:19 AM - edited ‎03-11-2019 08:10 PM

Hello all, I have this question, probably pretty an easy to answer, but unfortunately I can't test it myself in a production environment right now.

Do you know if is possible to have in ASA 8.6 a Static NAT rule with multiple subnets in both object groups. I currently have one to one subnet translation, but I need to add another two subnets.

Today's configuration is this

*** FROM ONE SUBNET TO ANOTHER ***

object-group network REGIONAL-SOURCE

network-object 10.1.1.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.201.0 255.255.255.0

nat (Outside,Inside) after-auto source static REGIONAL-SOURCE REGIONAL-NAT dns

What I need to accomplish is add two new subnets, but I want to see if is possible to do it using the same NAT rule, just adding the new 2 subnets.

10.1.2.0/24 natted to 10.1.202.0 255.255.255.0

10.1.3.0/24 natted to 10.1.203.0 255.255.255.0

*** TWO MORE SUBNETS ARE NEEDED ***

object-group network REGIONAL-SOURCE

network-object 10.1.2.0 255.255.255.0

network-object 10.1.3.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.202.0 255.255.255.0

network-object 10.1.203.0 255.255.255.0

If this is not possible I understand separate objects should be created with individual nat, I appreciate your comments and help.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-27-2013 07:34 AM

Hi,

This should be no problem. It should work as you have thought.

I tested the configurations on my own ASA

object-group network REGIONAL-SOURCE

network-object 10.1.1.0 255.255.255.0

network-object 10.1.2.0 255.255.255.0

network-object 10.1.3.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.201.0 255.255.255.0

network-object 10.1.202.0 255.255.255.0

network-object 10.1.203.0 255.255.255.0

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Here at the results of the "packet-tracer" to show the translations

ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.1.100/12345 to 10.1.201.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.2.100/12345 to 10.1.202.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.3.100/12345 to 10.1.203.100/12345

As you can see, everything is fine

Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Andrey Calderon

‎11-27-2013 07:59 AM

Also,

Just wanted to point out that naturally my "nat" configuration is a bit different. Its a Section 1 Manual NAT while your example is a Section 3 Manual NAT. (Because of the "after-auto" parameter in the command)

So there is a chance that the new source networks being added to the "nat" command through the "object-group" might have some existing "nat" rules that might override this new addition. You can naturally use the "packet-tracer" command to confirm that after the additions everything is matching to the correct "nat" rule. If not then you can naturally move the "nat" rule to a bit higher priority if rest of the configuration permits it.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-27-2013 07:34 AM

Hi,

This should be no problem. It should work as you have thought.

I tested the configurations on my own ASA

object-group network REGIONAL-SOURCE

network-object 10.1.1.0 255.255.255.0

network-object 10.1.2.0 255.255.255.0

network-object 10.1.3.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.201.0 255.255.255.0

network-object 10.1.202.0 255.255.255.0

network-object 10.1.203.0 255.255.255.0

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Here at the results of the "packet-tracer" to show the translations

ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.1.100/12345 to 10.1.201.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.2.100/12345 to 10.1.202.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.3.100/12345 to 10.1.203.100/12345

As you can see, everything is fine

Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
Andrey Calderon
Level 1
Level 1
In response to Jouni Forss

‎11-27-2013 07:49 AM

Hi Jouni,

Thank you for your answer, I have a maintainance window next week, I will definitly mark "Correct answer" by next Wednesday if everything work as expected. I much appreciate your help on this matter.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Andrey Calderon

‎11-27-2013 07:59 AM

Also,

Just wanted to point out that naturally my "nat" configuration is a bit different. Its a Section 1 Manual NAT while your example is a Section 3 Manual NAT. (Because of the "after-auto" parameter in the command)

So there is a chance that the new source networks being added to the "nat" command through the "object-group" might have some existing "nat" rules that might override this new addition. You can naturally use the "packet-tracer" command to confirm that after the additions everything is matching to the correct "nat" rule. If not then you can naturally move the "nat" rule to a bit higher priority if rest of the configuration permits it.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card