cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

435
Views
5
Helpful
3
Replies
Highlighted
Beginner

PAT Config post 8.2

Hi All!

So I have avoided the new form of NAT config for as long as I can. I downgraded my ASA 5585-X to 8.2 to avoid it. But now I must get it up to the latest code. I have been searching, but to no avail, how to handle the PAT in this new form.

My current config of course has

global (outside) 1 interface
global (outside) 2 x.x.x.x

The new base config after loading ASA 9.10 has this

object network obj_any
 nat (any,outside) dynamic interface

Is this the new PAT config? How would I handle multiple PATs? I would assume creating object-groups with the networks I want to use in each pat?

object network obj_pub_2
1.1.1.1
object network ten
 subnet 10.0.0.0 255.255.255.0
object network one
 subnet 10.1.0.0 255.255.255.0
object network two
 subnet 10.2.0.0 255.255.255.0
object network three
 subnet 10.3.0.0 255.255.255.0
object-group network PAT_ONE
 network-object object ten
 network-object object one
object-group PAT_TWO
 network-object object two
 network-object object three
object-group PUB_TWO
 network-object object obj_pub_2
!
nat (inside,outside) after-auto source static PAT_ONE interface
nat (inside,outside) after-auto source static PAT_TWO PUB_TWO

Am I on the right track here?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: PAT Config post 8.2

Hi

You used nat command with source static which is wrong because you want to do PAT.

The config should be:

nat (inside,outside) after-auto source dynamic PAT_ONE interface
nat (inside,outside) after-auto source dynamic PAT_TWO PUB_TWO

If you want to validate the config you converted, you can use these tools:
- Cisco tool: https://fwm.cisco.com/auth.do
- Tunnelsup tool: https://www.tunnelsup.com/nat-converter/


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Re: PAT Config post 8.2

Hi

You used nat command with source static which is wrong because you want to do PAT.

The config should be:

nat (inside,outside) after-auto source dynamic PAT_ONE interface
nat (inside,outside) after-auto source dynamic PAT_TWO PUB_TWO

If you want to validate the config you converted, you can use these tools:
- Cisco tool: https://fwm.cisco.com/auth.do
- Tunnelsup tool: https://www.tunnelsup.com/nat-converter/


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Highlighted
Beginner

Re: PAT Config post 8.2

Thanks so much! Everything else looks correct?

Highlighted
VIP Advisor

Re: PAT Config post 8.2

Objects yes.

Just a remark regarding the following nat:
object network obj_any
nat (any,outside) dynamic interface

Avoid using any and replace it with the real interface name.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question