Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
297
Views
0
Helpful
3
Replies

NAT on 8.3+ question

Go to solution
Colin Higgins
Level 2
Level 2

‎05-13-2013 11:40 AM - edited ‎03-11-2019 06:42 PM

I have an ASA running 8.4 code, and I need to do the following:

Dynamic NAT on the outside interface for

1 subnet

2 different hosts on a different network

So will something like this work?

object network obj-192.168.20.10

host 192.168.20.10

nat (inside,outside) dynamic interface

object network obj-172.25.1.10

host 172.25.1.10

nat (inside,outside) dynamic interface

...

Will this work? If it won't, what will?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-13-2013 11:46 AM

Hi,

For smaller/simpler configuration I would suggest the following configurations to handle the complete configuration

object-group network DEFAULT-PAT-SOURCE

network-object

network-object host 192.168.20.10

network-object host 172.25.1.10

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Hope this helps

Remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-13-2013 11:46 AM

Hi,

For smaller/simpler configuration I would suggest the following configurations to handle the complete configuration

object-group network DEFAULT-PAT-SOURCE

network-object

network-object host 192.168.20.10

network-object host 172.25.1.10

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Hope this helps

Remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

0 Helpful

Go to solution
Colin Higgins
Level 2
Level 2
In response to Jouni Forss

‎05-13-2013 12:15 PM

That worked! Thanks

haven't seen this "after-auto" option before. Is that new with 8.3+?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Colin Higgins

‎05-13-2013 12:23 PM

Hi,

To give you the short story about the NAT of 8.3+ software versions

  • NAT Configurations are divided in 3 Sections
  • Section 1 holds Manual NAT / Twice NAT format configurations (the above "nat" command format would be WITHOUT "after-auto")
  • Section 2 holds Network Object NAT (the above "nat" command format you mentioned)
  • Section 3 holds Manual NAT / Twice NAT format configuration (the above "nat" command format THAT uses "after-auto")

So Section 1 NAT configurations are configured directly in the global configuration mode with the command "nat"

Section 2 NAT configurations are always under some "object network "

Section 3 NAT configurations are like Section 1 BUT they have been moved at the lowest Section with "after-auto" parameter.

The order of the NAT configurations matched against traffic is gone through from Section 1 to Section 3 until a match is found. In that sense configuring Default PAT in the final Section 3 makes sense since it SHOULDNT be able to override any other NAT configuration.

I would suggest reading a 8.3+ NAT Document I made on the Firewall/Document section. It lists the above and more a lot more clearly described.

https://supportforums.cisco.com/docs/DOC-31116

Than you for marking the reply as the correct answer. Appriciate it

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card