Hi Mohammad,

According to your config source ip 192.168.183.202 is not natting with 61.144.128.140, but it is being destined to 61.144.128.140.

As per my config, source 192.168.183.202 destined to any should be natted with 61.144.128.140.

The nat rule itself should look like this (using objects, Mohammed provided):

nat (inside,outside) source dynamic obj-192.168.183.202 obj-61.144.128.140 pat-pool POOL service obj-tcp-eq-80 obj-tcp-eq-80

object network POOL

host  61.144.128.140

Hi Andrew

Yes, there should be Dynamic NAT as per your config but have still confusion about command "pat-pool POOL". what its does? Does it use here for destination "any".

Yes, it does.

Thanks Andrew for helping me out..

Could you also tell about below NATexempt commands, means difference b/w them.

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp

nat (DMZ,outside) source static obj-192.168.159.0 obj-192.168.159.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

Both NAT command are using here for NAT exemption but why there is "nat (inside,any)" and "nat (DMZ,outside)". Why there is not like same i.e.nat (DMZ,any) like as nat (inside,any)". or nat (inside,outside)" like as nat (DMZ,outside).

Yes, i miss that one

for NO NAT, you can use (inside, any) or (inside,Interface Name here)

If (DMZ,Outside), this mean no dynamic NAT added on other interfaces (but only the outside).

Regards,

MKD

Hi,

My question is that..why (DMZ, any) is not using here like (inside,any) even though both nat commands are for "NO NAT".

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp

nat (DMZ,outside) source static obj-192.168.159.0 obj-192.168.159.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup

Hi,

I'm not sure if the configurations you are referring to are some NAT configuration that the ASA has converted from "old" software to new software.

Generally I would think the "any" keyword would be used in the NAT configurations when you want to apply certain kind of NAT towards all other interfaces on the ASA. I try to avoid it as much as I can and be more specific.The reason for this is that it might possibly cause problems and make the configuration hard to read.

If you have had NAT0 / NAT Exempt style configurations on your "old" software ASA then they are probably almost always related to VPN Client or L2L VPN connections.

I would thefore suggest always using both the source and destination interface in your configurations.

I dont get the idea of the first NAT configuration as the source and destination networks are the same. And even more so I dont get the idea when I look at the next NAT configuration that refers to the same network as the destination network and its on the "outside" (While it was the sourced from the "inside" in the previous command)

- Jouni