Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
5
Helpful
3
Replies

PAT Config post 8.2

Go to solution
cyoung1981
Level 1
Level 1

‎02-09-2019 06:17 PM - edited ‎02-21-2020 08:47 AM

Hi All!

So I have avoided the new form of NAT config for as long as I can. I downgraded my ASA 5585-X to 8.2 to avoid it. But now I must get it up to the latest code. I have been searching, but to no avail, how to handle the PAT in this new form.

My current config of course has

global (outside) 1 interface
global (outside) 2 x.x.x.x

The new base config after loading ASA 9.10 has this

object network obj_any
 nat (any,outside) dynamic interface

Is this the new PAT config? How would I handle multiple PATs? I would assume creating object-groups with the networks I want to use in each pat?

object network obj_pub_2
1.1.1.1
object network ten
 subnet 10.0.0.0 255.255.255.0
object network one
 subnet 10.1.0.0 255.255.255.0
object network two
 subnet 10.2.0.0 255.255.255.0
object network three
 subnet 10.3.0.0 255.255.255.0
object-group network PAT_ONE
 network-object object ten
 network-object object one
object-group PAT_TWO
 network-object object two
 network-object object three
object-group PUB_TWO
 network-object object obj_pub_2
!
nat (inside,outside) after-auto source static PAT_ONE interface
nat (inside,outside) after-auto source static PAT_TWO PUB_TWO

Am I on the right track here?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-09-2019 06:45 PM - edited ‎02-09-2019 06:47 PM

Hi

You used nat command with source static which is wrong because you want to do PAT.

The config should be:

nat (inside,outside) after-auto source dynamic PAT_ONE interface
nat (inside,outside) after-auto source dynamic PAT_TWO PUB_TWO

If you want to validate the config you converted, you can use these tools:
- Cisco tool: https://fwm.cisco.com/auth.do
- Tunnelsup tool: https://www.tunnelsup.com/nat-converter/


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-09-2019 06:45 PM - edited ‎02-09-2019 06:47 PM

Hi

You used nat command with source static which is wrong because you want to do PAT.

The config should be:

nat (inside,outside) after-auto source dynamic PAT_ONE interface
nat (inside,outside) after-auto source dynamic PAT_TWO PUB_TWO

If you want to validate the config you converted, you can use these tools:
- Cisco tool: https://fwm.cisco.com/auth.do
- Tunnelsup tool: https://www.tunnelsup.com/nat-converter/


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
cyoung1981
Level 1
Level 1
In response to Francesco Molino

‎02-09-2019 06:50 PM

Thanks so much! Everything else looks correct?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to cyoung1981

‎02-09-2019 06:52 PM

Objects yes.

Just a remark regarding the following nat:
object network obj_any
nat (any,outside) dynamic interface

Avoid using any and replace it with the real interface name.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card