Solved: Re: Need to enable NAT to new range on ASA for entire subnet for

baskervi · ‎02-28-2013

I've done this in the past for specific host entries with no problem, but I can't figure out how to do this for an entire subnet. I need something along the lines of the following:

access-list OKC2DAL extended permit ip 192.168.1.0 255.255.255.0 192.168.107.0 255.255.255.0

static (inside,outside) 192.168.99.0 access-list OKC2DAL netmask 255.255.255.0

I see netmask as an option, but the ASA states "invalid option netmask." The ASA is running 8.2(2).

=====

OKC-PIX(config)# static (inside,outside) 192.168.99.0 access-l OKC2DAL ?

configure mode commands/options:

<0-65535> The maximum number of simultaneous tcp connections the local IP

hosts are to allow, default is 0 which means unlimited

connections. Idle connections are closed after the time

specified by the timeout conn command

dns Use the created xlate to rewrite DNS address record

netmask Configure Netmask to apply to IP addresses

norandomseq Disable TCP sequence number randomization

tcp Configure TCP specific parameters

udp Configure UDP specific parameters

<cr>

OKC-PIX(config)# $.168.99.0 access-l OKC2DAL netmask ?

configure mode commands/options:

A.B.C.D Netmask to apply to IP addresses

BurnsOKC-PIX(config)# static (inside,outside) 192.168.99.0 access-l OKC2DAL netmask 255.255.255.0

invalid option netmask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

show running-config [all] static [<mapped_ip>]

clear configure static

=====

Thanks for your assistance.

Jouni Forss · ‎02-28-2013

Hi,

You dont need the netmask option

With the configuration

access-list OKC2DAL extended permit ip 192.168.1.0 255.255.255.0 192.168.107.0 255.255.255.0

static (inside,outside) 192.168.99.0 access-list OKC2DAL

Source IP addresses from network 192.168.1.0/24 will translate to network 192.168.99.0/24. So for example 192.168.1.100 will always translate to 192.168.99.100

EDIT: There might be a situation where you have Static NAT for network 192.168.1.0/24 hosts towards "outside" on the ASA that will override this configuration. The solution in those cases is to remove the Public Static NAT and configure it again which will move it to the bottom of the configured rules and the Policy NAT will be matched first (the above NAT configuration that is)

- Jouni

View solution in original post

Jouni Forss · ‎02-28-2013

Hi,