Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
2
Replies

nat question ala 8.3 and higher

lcaruso
Level 6
Level 6

‎01-29-2012 04:54 PM - edited ‎03-11-2019 03:20 PM

I'm converting a PIX to an ASA and wasn't able to get the nat as desired. Specifically, I could not get the nat to allow mulitple services for one object, so the alternatives were create multiple objects with the same ip address with slightly diffeent names and nat one service each or use manual nat.

Orignal PIX. We have two hosts using different services on the outside

static (inside,outside) tcp interface www 10.0.0.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.0.0.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.0.0.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 10.0.0.250 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 10.0.0.250 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 10.0.0.10 domain netmask 255.255.255.255 0 0

I tried creating two server objects and two service groups and doing nat under the objects, and I could not get it to accept a service group in the object nat. And I could not get it to allow multiple nat statements under object nat.

So I ended up doing this which seems more like 8.2x than 8.3ish. What did I miss to leverage 8.3 object capabilities or is this a limitation?

nat (inside,outside) source static srv-01 interface service tcp-3389 tcp-3389
nat (inside,outside) source static srv-01 interface service http http
nat (inside,outside) source static srv-01 interface service smtp smtp
nat (inside,outside) source static srv-01 interface service tcp-domain tcp-domain
nat (inside,outside) source static srv-02 interface service ftp ftp
nat (inside,outside) source static srv-02 interface service ftp-data ftp-data

Thanks.

Labels:
0 Helpful
2 Replies 2

ajay chauhan
Level 7
Level 7

‎01-29-2012 11:26 PM

object network INSIDE_HOST
  host 10.0.0.10
  nat (INSIDE,OUTSIDE) static interface service 80 80

Your configuration should look like this.

More info is here -https://supportforums.cisco.com/docs/DOC-9129

Thanks

Ajay

0 Helpful

lcaruso
Level 6
Level 6
In response to ajay chauhan

‎01-30-2012 05:40 AM

Sorry, I don't see how my requirements are being met by your example, but thanks for the link.

My requirements are multiple protocols; I see this as a limitation of the new nat implementation, which forces you to use objects but does not allow multiple nats per object. so you are forced to do this

object network foo-1

host 10.0.0.10

nat(inside,outside) static interface service 80

object network foo-2

host 10.0.0.10

nat(inside,outside) static interface service ftp

and so on for all of the protocols in my example. IMHO, it the new nat should be able to do this instead

object network foo-1

host 10.0.0.10

nat(inside,outside) static interface service 80

nat(inside,outside) static interface service ftp

and so on

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card