05-13-2013 11:40 AM - edited 03-11-2019 06:42 PM
I have an ASA running 8.4 code, and I need to do the following:
Dynamic NAT on the outside interface for
1 subnet
2 different hosts on a different network
So will something like this work?
object network obj-192.168.20.10
host 192.168.20.10
nat (inside,outside) dynamic interface
object network obj-172.25.1.10
host 172.25.1.10
nat (inside,outside) dynamic interface
...
Will this work? If it won't, what will?
Solved! Go to Solution.
05-13-2013 11:46 AM
Hi,
For smaller/simpler configuration I would suggest the following configurations to handle the complete configuration
object-group network DEFAULT-PAT-SOURCE
network-object
network-object host 192.168.20.10
network-object host 172.25.1.10
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
Hope this helps
Remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
05-13-2013 11:46 AM
Hi,
For smaller/simpler configuration I would suggest the following configurations to handle the complete configuration
object-group network DEFAULT-PAT-SOURCE
network-object
network-object host 192.168.20.10
network-object host 172.25.1.10
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
Hope this helps
Remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
05-13-2013 12:15 PM
That worked! Thanks
haven't seen this "after-auto" option before. Is that new with 8.3+?
05-13-2013 12:23 PM
Hi,
To give you the short story about the NAT of 8.3+ software versions
So Section 1 NAT configurations are configured directly in the global configuration mode with the command "nat"
Section 2 NAT configurations are always under some "object network
Section 3 NAT configurations are like Section 1 BUT they have been moved at the lowest Section with "after-auto" parameter.
The order of the NAT configurations matched against traffic is gone through from Section 1 to Section 3 until a match is found. In that sense configuring Default PAT in the final Section 3 makes sense since it SHOULDNT be able to override any other NAT configuration.
I would suggest reading a 8.3+ NAT Document I made on the Firewall/Document section. It lists the above and more a lot more clearly described.
https://supportforums.cisco.com/docs/DOC-31116
Than you for marking the reply as the correct answer. Appriciate it
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide