02-18-2013 10:47 AM - edited 03-11-2019 06:02 PM
Hello,
I have currently upgraded 8.4(3) version on my ASA and want to configure NAT. I have some internal networks 192.168.85.0/24, 192.168.81.0/24 & 192.168.91.0/24. I want these networks to be natted with single ip 172.25.16.10 for destination 10.110.30.0/24 & 10.110.31.0/24. Could anyone share command config.
Solved! Go to Solution.
02-19-2013 03:33 AM
Hi,
To my understanding this is the case.
Notice though that we use the interface "outside" as the destination interface in the start of the NAT configuration. This in its part limits the destination networks.
ASA softwares all the way from 8.3(1) to 8.4(5) have gone through changes to how the NAT handles these things. I always seem to forget these things and need to refresh information.
- Jouni
02-18-2013 11:08 AM
Hi,
The configuration should be something like this
object-group network SOURCE-NETWORKS
network-object 192.168.85.0 255.255.255.0
network-object 192.168.81.0 255.255.255.0
network-object 192.168.91.0 255.255.255.0
object-group network DESTINATION-NETWORKS
network-object 10.110.30.0 255.255.255.0
network-object 10.110.31.0 255.255.255.0
object network PAT-IP-ADDRESS
host 172.25.16.10
nat (inside,outside) source dynamic SOURCE-NETWORKS PAT-IP-ADDRESS destination static DESTINATION-NETWORKS DESTINATION-NETWORKS
Where
Names of the "object-group" or "object network" can be anything you see fit.
Hopefully the information was helpfull
- Jouni
02-18-2013 11:18 AM
Thanks lot, Jouni..could you help me on other query that is not related to it.
I have below config of ASA 8.2(5) .As i am running 8.4(3) so want below conifg of 8.2(5) into 8.4(3). That would really be appreciated.
access-list www extended permit tcp host 10.110.120.20 any eq www
access-list www extended permit tcp host 10.110.120.20 any eq https
access-list www extended permit tcp host 10.110.120.32 any eq www
access-list www extended permit tcp host 10.110.120.32 any eq https
nat (inside) 2 access-list www
global (outside) 2 141.15.114.93 netmask 255.255.255.255
02-18-2013 11:41 AM
Hi,
Configuration for that should be
object-group network SOURCE-HOSTS
network-object host 10.110.120.20
network-object host 10.110.120.32
object service SERVICE-WWW
service tcp destination eq www
object service SERVICE-HTTPS
service tcp destination eq https
object network PAT-ADDRESS
host 141.15.114.93
nat (inside,outside) source dynamic SOURCE-HOSTS PAT-ADDRESS service SERVICE-WWW SERVICE-WWW
nat (inside,outside) source dynamic SOURCE-HOSTS PAT-ADDRESS service SERVICE-HTTPS SERVICE-HTTPS
Where
I tested this on my home ASA (with different public IP addresses ofcourse) but it seemed to work just fine.
Please remember to rate all helpfull answers and mark the question as answered if it answered your question
Or ask more if needed.
- Jouni
02-19-2013 03:24 AM
Thanks Jouni...
have a question about destination. As per your config, Source address getting PAT but there is no config for destination "any". Is it automatic assume destination any if we dont mention.
02-19-2013 03:33 AM
Hi,
To my understanding this is the case.
Notice though that we use the interface "outside" as the destination interface in the start of the NAT configuration. This in its part limits the destination networks.
ASA softwares all the way from 8.3(1) to 8.4(5) have gone through changes to how the NAT handles these things. I always seem to forget these things and need to refresh information.
- Jouni
02-19-2013 03:44 AM
Thanks Jouni, it really appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide