06-24-2011 10:02 PM - edited 03-11-2019 01:50 PM
Can anyone help me with the NAT command on 8.4? I am trying to PAT multipule Inside subnets to an IP address. With the example I found I can only PAT one subnet. If I do it the way I have below, it will end up with the last subnet (3.3.3.0) stay in the config. What is the best way of doing it? I have about 20 inside subnets I need to PAT.
object network obj-Inside-sub1
subnet 1.1.1.0 255.255.255.0
subnet 2.2.2.0 255.255.0.0
subnet 3.3.3.0 255.255.0.0
nat (inside,outside) dynamic 199.246.5.2
Thanks for the help
Solved! Go to Solution.
06-24-2011 10:57 PM
The config would look something like this:
object-group network all_subnets
network-object 1.1.1.0 255.255.255.0
network-object 2.2.2.0 255.255.0.0
network-object 3.3.3.0 255.255.0.0
object network patted_ip
host 199.246.5.2
Nat (inside,outside) source dynamic all_subnet patted_ip
And it shoudl work for all the subnets.
Hope this helps you
Thanks,
Varun
06-24-2011 10:52 PM
Hey Joe,
What you see is the correct behavior, because for multiple subnets you need to use a object-group, which includes all three subnets.
Thanks,
Varun
06-24-2011 10:57 PM
The config would look something like this:
object-group network all_subnets
network-object 1.1.1.0 255.255.255.0
network-object 2.2.2.0 255.255.0.0
network-object 3.3.3.0 255.255.0.0
object network patted_ip
host 199.246.5.2
Nat (inside,outside) source dynamic all_subnet patted_ip
And it shoudl work for all the subnets.
Hope this helps you
Thanks,
Varun
06-25-2011 04:01 PM
Thanks Varun, the command works. Now I am a bit confuse with the command. Would you able to point out why we do it this way?
When I put in the NAT any command like this:
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic 199.246.5.1
It will give me something like this in show run.
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic 199.246.5.1
When I put in the command you provide for NATing the specific inside subnet it doesn't turn out the same way as above. Show run only show me this line by itself.
Nat (inside,outside) source dynamic all_subnet patted_ip
Looks like the source keyword made a different. I did see some examples use the source keyword to NAT everything to outside. Which is a cleaner way of doing things?
06-25-2011 05:28 PM
Hi Joe.
There are two different types of nat in 8.4, Manual NAT(Twice NAT) and Auto NAT(Object NAT), the one that you were doing earler was Auto NAT (Object NAT) and the configuration that I gave you was for Manual NAT. There is no such difference, just what you are comfortable with. Manual NAT always takes precedence over Auto NAT. Here is a doc,kindly go through it:
http://www.cisco.com/en/US/customer/docs/security/asa/asa84/configuration/guide/nat_objects.html
Hope this helps you.
Thanks,
Varun
06-28-2011 09:10 PM
Thanks for clarifying.
08-25-2016 07:22 AM
It worked for me as well.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide