cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1502
Views
2
Helpful
17
Replies

NAT for multiple internal subnets

kacper25711
Level 1
Level 1

Hello, would anyone be able to explain me how to configure NAT for multiple internal subnets on a 5505 firewall?
I have 6 subnets 192.168.2.0, .10.0, .20.0, .30.0, .40.0 and .50.0. 
It's configured like this for all 6 subnets, but the address translationonly only works for the 192.168.2.0 subnet for some reason:

kacper25711_1-1703815809885.png

I don't know why, object-group network doesn't work here.

the topology looks more less like this at the moment, maybe it would be easier to configure if firewall device was connected straight to the internal router? If yes, how should I configure it?

kacper25711_2-1703816011171.png

 

 

 

1 Accepted Solution

Accepted Solutions
17 Replies 17

balaji.bandi
Hall of Fame
Hall of Fame

try below example : ( all more subnet to object group)

object-group network all_subnets
network-object 192.168.0.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source dynamic interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I get this problem here:

kacper25711_0-1703863915285.png

can only set a group of tcp/upd ports/services, not a subnet

Friend there is

Object-group and object-network

Use object-network 

MHM

it's an unrecognized command

kacper25711_0-1703865314355.png

 

Object  network 

without - inbetween 

MHM

yes, but there I can only set 1 subnet for 1 object, right?
I created objects for all 6 subnets, but it only works for the 192.168.2.0 subnet.

Object network vlan1

Subnet x.x.x.x

Object network vlan2 

subnet y.y.y.y

Then  finally 

Object-group allVLAN

Object vlan1

Object vlan2 

Then you use this object-group in NAT or ACL

MHM

well it still doesn't allow me to create an object-group:

kacper25711_0-1703871562967.png

I can only create a object-group service.

Could this be a CPT limitation?

That can be let me check when I retrun home

MHM

Until that time we can use this workaround for dynamic NAT

Object  network allVLAN 

Subnet 0.0.0.0

Then use it in NAT' this will include all your vlan subnet.

Goodluck 

MHM

somehow having object network allvlan with subnet 0.0.0.0 doesn't help.
still the address of the other subnets is not translated. Only the address of the devices in 192.168.2.0 is translated.

How you know the NAT is not working?

MHM

The source IP isn't changed from the internal IP address to firewall's public IP.

kacper25711_2-1703881034723.png

below as you can see a sent packet from the 192.168.2.0 network and the source address is translated:

kacper25711_3-1703881118774.png

 

 

 

 

 

same as My PKT it limitation then 

Screenshot (637).png

Review Cisco Networking for a $25 gift card