01-25-2024 10:58 AM - edited 01-25-2024 11:01 AM
Good Morning All,
Not sure why this isn't working but I have a ASA 5525 running Version 9.2(2)4. What I am trying to do is add an Object Static NAT. Now on the firewall I see how similar policies are configured and I copied the config, minus the IPs and name of course but still not working. This is what I have
object network ext-data4
host 210.10.197.74 <-- Public IP
object network vip-data4
host 10.3.10.44 <-- DMZ IP
I have an ACL that the VIP goes into so now the NAT, when I attempt to do the following Object NAT it looks like it works but when I search for it in the config or do a show xlate for the name/IP nothing shows up
object network vip-data4
nat (any,any) static ext-data4 net-to-net
When I input the config, looks like it works:
OmedaColoASA(config)# object network vip-data4
OmedaColoASA(config-network-object)# nat (any,any) static ext-data4
OmedaColoASA(config-network-object)#
OmedaColoASA(config-network-object)#
But when I check the config its not even in there.
What am I missing? Thank you in advance!!!
Solved! Go to Solution.
01-25-2024 01:41 PM
NAT (DMZ'Outside) source static object real IP object mapped IP <<- this correct one, NO need to add destination
MHM
01-25-2024 11:06 AM
object network ext-data4
host 210.10.197.74 <-- Public IP
!
object network vip-data4
host 10.3.10.44 <-- DMZ IP
nat (DMZ,OUT ) static ext-data4 net-to-net no route-lookup
This must work
MHM
01-25-2024 12:36 PM
Bummer didn't work, it didn't like the "no route-lookup" so I left that out but I put in what you suggested
object network vip-data4
host 10.3.10.44
nat (DMZ,OUT) static ext-data4 net-to-net
still doesn't show up in the config, probably something silly I am missing...still looking
01-25-2024 12:40 PM
Can I see
Show run nat
MHM
01-25-2024 12:50 PM - edited 01-25-2024 01:21 PM
Its kind of long but here here it is I don't see any of the NAT statements we put in
01-25-2024 12:54 PM - edited 01-25-2024 01:40 PM
object network dmz nat (dmz,outside) dynamic interface
This come before static NAT so we need to change NAT type to manaul NAT and not use object NAT.
NAT (DMZ'Outside) source static object real IP object mapped IP
MHM
01-25-2024 01:12 PM - edited 01-25-2024 01:14 PM
Oh ok I see so I need to build it as
nat (dmz,outside) static vip-datad4 destination static ext-data4
object network ext-data4
host 210.10.197.74 <-- Public IP
object network vip-data4
host 10.3.10.44 <-- DMZ IP
ok will try that then...thank you sir!
01-25-2024 01:24 PM
You are welcome
MHM
01-25-2024 01:36 PM - edited 01-25-2024 01:39 PM
Hmm it didn't like the "static" had to enter "source static" also had to change it up a little it doesn't like what I have below:
nat (dmz,outside) static vip-data4 destination static ext-data4
configure mode commands/options:
WORD Specify object or object-group name for real source
any Abbreviation for source address and mask of 0.0.0.0
OmedaColoASA(config)# $ ext-data4 ?
ERROR: % Unrecognized command
OmedaColoASA(config)# $ vip-data4 ?
configure mode commands/options:
WORD Specify object or object-group name for mapped source
interface Specify interface NAT
So now my nat statement looks like this:
nat (dmz,outside) source static vip-data4 vip-data4 destination static ext-data4 ext-data4
So at first I thought I did something wrong when i saw this
OmedaColoASA# sh xlate | inc 210.10.197.74
NAT from outside:210.10.197.74 to dmz:210.10.197.74
OmedaColoASA# sh xlate | inc 10.3.10.44
NAT from dmz:10.3.10.44 to outside:10.3.10.44
but I believe this is ok as those are the IPs we want to see when they hit the interfaces.
If I am wrong please let me know otherwise I believe I am good now. Thank you for your help!!!
One more thing if I put this statement at the bottom, then we would of be able to do the object NAT?
object network dmz nat (dmz,outside) dynamic interface
01-25-2024 01:41 PM
NAT (DMZ'Outside) source static object real IP object mapped IP <<- this correct one, NO need to add destination
MHM
01-25-2024 01:56 PM
Thank you sir looks good
OmedaColoASA# sh xlate | inc 210.10.197.74
NAT from dmz:10.3.10.44 to outside:210.10.197.74
01-25-2024 01:57 PM
please clean your config, delete all other NOT work NAT we add during troubleshooting
thanks a lot
have a nice day
MHM
01-25-2024 02:27 PM
You have entered correct commands for object NAT to work correctly (though I would suggest using specific interfaces rather than any). If the commands look to be accepted but do not show up in the configuration then this ASA is not in a healthy state. Perhaps it needs a reboot, and definately needs an upgrade if it is running 9.2.
This configuration was correct and should have been present in the configuration:
object network ext-data4
host 210.10.197.74
object network vip-data4
host 10.3.10.44
nat (any,any) static ext-data4
Now, just for clarification: Manual NAT, which is when you define NAT (any,any) source static..., is a top down match. Auto-NAT will be matched after manual NAT but it is matched in a longest prefix manner and there for not top down. So if you have a default NAT located above a more specific NAT in this section it will still match on the more specifc NAT rule. And then you have After-auto NAT, which is similar to manual NAT as it is a top down match but will only be matched if there have been no other match in manual NAT or Auto-NAT. So keep this in mind when configuring the ASA.
01-26-2024 06:39 AM
H Marius,
Thank you for the info, yes it is actually 9.2 and needs a reboot badly as from my understanding hasn't been reboot in a few years. As far as the NAT goes thank you for the information!! I will keep that in mind next time and thank you for taking the time to explain!!!
Thank you sir!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide