Solved: NAT for multiple internal subnets

kacper25711 · ‎12-28-2023

Hello, would anyone be able to explain me how to configure NAT for multiple internal subnets on a 5505 firewall?
I have 6 subnets 192.168.2.0, .10.0, .20.0, .30.0, .40.0 and .50.0.
It's configured like this for all 6 subnets, but the address translationonly only works for the 192.168.2.0 subnet for some reason:

I don't know why, object-group network doesn't work here.

the topology looks more less like this at the moment, maybe it would be easier to configure if firewall device was connected straight to the internal router? If yes, how should I configure it?

MHM Cisco World · ‎12-29-2023

same as My PKT it limitation then

View solution in original post

balaji.bandi · ‎12-29-2023

try below example : ( all more subnet to object group)

object-group network all_subnets
network-object 192.168.0.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source dynamic interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kacper25711 · ‎12-29-2023

I get this problem here:

can only set a group of tcp/upd ports/services, not a subnet

MHM Cisco World · ‎12-29-2023

Friend there is

Object-group and object-network

Use object-network

MHM

kacper25711 · ‎12-29-2023

it's an unrecognized command

MHM Cisco World · ‎12-29-2023

Object network

without - inbetween

MHM

kacper25711 · ‎12-29-2023

yes, but there I can only set 1 subnet for 1 object, right?
I created objects for all 6 subnets, but it only works for the 192.168.2.0 subnet.

MHM Cisco World · ‎12-29-2023

Object network vlan1

Subnet x.x.x.x

Object network vlan2

subnet y.y.y.y

Then finally

Object-group allVLAN

Object vlan1

Object vlan2

Then you use this object-group in NAT or ACL

MHM

kacper25711 · ‎12-29-2023

well it still doesn't allow me to create an object-group:

I can only create a object-group service.

Could this be a CPT limitation?

MHM Cisco World · ‎12-29-2023

That can be let me check when I retrun home

MHM

MHM Cisco World · ‎12-29-2023

Until that time we can use this workaround for dynamic NAT

Object network allVLAN

Subnet 0.0.0.0

Then use it in NAT' this will include all your vlan subnet.

Goodluck

MHM

kacper25711 · ‎12-29-2023

somehow having object network allvlan with subnet 0.0.0.0 doesn't help.
still the address of the other subnets is not translated. Only the address of the devices in 192.168.2.0 is translated.

MHM Cisco World · ‎12-29-2023

How you know the NAT is not working?

MHM

kacper25711 · ‎12-29-2023

The source IP isn't changed from the internal IP address to firewall's public IP.

below as you can see a sent packet from the 192.168.2.0 network and the source address is translated:

MHM Cisco World · ‎12-29-2023

same as My PKT it limitation then