Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
5
Helpful
2
Replies

NAT with 8.6(1) ASA5515-X

Go to solution
Phil Williamson
Level 1
Level 1

‎04-28-2013 07:19 PM - edited ‎03-11-2019 06:36 PM

I want to NAT only those nets which are deployed as opposed to a

'nat (inside) 1 0 0' as in IOS 8.2 for example.
So I have possibly two choices.
I can create a network object-group with my INSIDE NETS and add to it as I expand the IP usage.
!
object-group network GRP_OBJECT_INSIDE_NETS
network-object 10.16.0.0 255.255.192.0
network-object 10.64.0.0 255.255.240.0

network-object 10.64.64.0 255.255.240.0
network-object 10.64.128.0 255.255.240.0
!
nat (inside,outside) source dynamic GRP_OBJECT_INSIDE_NETS interface

!

Or I can create separate network objects and the associated object NAT for each.
!
object network N_OBJ_10.16.0.0_18
subnet 10.16.0.0 255.255.192.0
object network N_OBJ_10.64.0.0_20
subnet 10.64.0.0 255.255.240.0
object network N_OBJ_10.64.64.0_20
subnet 10.64.64.0 255.255.240.0
object network N_OBJ_10.64.128.0_20
subnet 10.64.128.0 255.255.240.0
!
object network N_OBJ_10.16.0.0_18
nat (inside,outside) dynamic interface
object network N_OBJ_10.64.0.0_20
nat (inside,outside) dynamic interface
object network N_OBJ_10.64.64.0_20
nat (inside,outside) dynamic interface
object network N_OBJ_10.64.128.0_20
nat (inside,outside) dynamic interface

!

The question is which is possibly preferred and why.

The second would create more in-line code than the first, but there have to be other concerns.

Thx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-28-2013 07:42 PM

Hi,

I personally always use "object-group" to define the source addresses for the basic PAT/NAT configurations. Pretty much for the reason you have already stated. The NAT configuration is easier to manage and we create a lot less configurations.

Though I would do a minor change to the NAT configuration you mentioned first.

I would add the "after-auto" parameter to the NAT configuration. This would move the NAT rule to Section 3 instead of Section 1 (where it would go without the "after-auto" parameter)

nat (inside,outside) after-auto source dynamic GRP_OBJECT_INSIDE_NETS interface

Being in Section 3 of the NAT rules it would be one of the last NAT rules to be matched against connections coming through the ASA. And I would consider this natural as we are configuring a Default PAT rule to which any connection should hit IF it did not have a more specific rule.

If the NAT configuration you mention was inserted in the format in the original post, it might potentially override any other translations for those "inside" networks towards "outside" networks.

The second way you mention doing the same uses Network Object NAT, which is an Section 2 NAT. I see it used in simple network setups but personally I would only suggest it to be used with Static NAT and Static PAT.

The Section 2 Network Object NAT operates a bit like the old NAT format. It gives higher priority to "static" configurations instead of "dynamic". Inside those mentioned types it again prefers to the more specific number of source address. In the end it might even match on the basis of how the "object" is named. In other words look at the alphabetical order of the name of the configured "object" for the NAT.

But as I said before, I prefer to leave Network Object NAT only for Static NAT and Static PAT. Section 1 NAT I use for NAT0 / Identity NAT / Policy NAT / Policy PAT configurations usually. And Section 3 I use for the Default PAT / NAT rules.

If you want to read some more about the subject I could suggest a document I created on the forums.

https://supportforums.cisco.com/docs/DOC-31116

Naturally you can ask more on these forums.

Please remember to rate helpfull answers and mark questions as answered if they did.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-28-2013 07:42 PM

Hi,

I personally always use "object-group" to define the source addresses for the basic PAT/NAT configurations. Pretty much for the reason you have already stated. The NAT configuration is easier to manage and we create a lot less configurations.

Though I would do a minor change to the NAT configuration you mentioned first.

I would add the "after-auto" parameter to the NAT configuration. This would move the NAT rule to Section 3 instead of Section 1 (where it would go without the "after-auto" parameter)

nat (inside,outside) after-auto source dynamic GRP_OBJECT_INSIDE_NETS interface

Being in Section 3 of the NAT rules it would be one of the last NAT rules to be matched against connections coming through the ASA. And I would consider this natural as we are configuring a Default PAT rule to which any connection should hit IF it did not have a more specific rule.

If the NAT configuration you mention was inserted in the format in the original post, it might potentially override any other translations for those "inside" networks towards "outside" networks.

The second way you mention doing the same uses Network Object NAT, which is an Section 2 NAT. I see it used in simple network setups but personally I would only suggest it to be used with Static NAT and Static PAT.

The Section 2 Network Object NAT operates a bit like the old NAT format. It gives higher priority to "static" configurations instead of "dynamic". Inside those mentioned types it again prefers to the more specific number of source address. In the end it might even match on the basis of how the "object" is named. In other words look at the alphabetical order of the name of the configured "object" for the NAT.

But as I said before, I prefer to leave Network Object NAT only for Static NAT and Static PAT. Section 1 NAT I use for NAT0 / Identity NAT / Policy NAT / Policy PAT configurations usually. And Section 3 I use for the Default PAT / NAT rules.

If you want to read some more about the subject I could suggest a document I created on the forums.

https://supportforums.cisco.com/docs/DOC-31116

Naturally you can ask more on these forums.

Please remember to rate helpfull answers and mark questions as answered if they did.

- Jouni

0 Helpful

Go to solution
Phil Williamson
Level 1
Level 1
In response to Jouni Forss

‎04-28-2013 08:00 PM

Jouni,

Thanks for the quick in-depth answer to my post.  It was just what I was looking for.

I have seen your document in the past and have recommended it to my peers.

I'll review it again before proceeding.

Thx,

-Phil

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card