Regular Dynamic PAT statements in ASA 8.3.

forman102 · ‎02-20-2012

Hello,

Could you please verify this configuration:

I have 2 inside networks:

object network INSIDE_10.6

subnet 10.6.0.0 255.255.0.0

object network INSIDE_192.168

subnet 192.168.0.0 255.255.255.0

I grouped these 2 into 1 object-group:

object-group network INSIDE

network-object object INSIDE_10.6

network-object object INSIDE_192.168

Public IP address used for PAT:

object network PAT

host 152.x.x.x

I used the following statement to create Dynamic PAT to public IP address:

object network INSIDE_10.6

nat (any,any) dynamic PAT

object network INSIDE_192.168

nat (any,any) dynamic PAT

Is that correct?

Also I'm using one public address to PAT both inside networks. Is there any advantage of using 2 different ones, so each inside network would be PAT to its own address?

Thanks,

forman

Amit Rai · ‎02-20-2012

object network INSIDE_10.6

nat (inside,outside) dynamic PAT

object network INSIDE_192.168

nat (inside,outside) dynamic PAT

use the ingress and egress interface name instead of any any or atleast define the name of the ingress interface.

now if you only define the name of the ingress interface any traffic that is coming from the specified source will follow this nat rule for going out all the interface.

best way to do it is to specifiy the ingress and egress both the interfaces in the nat rule.

now to your second question you can use the same public IP object group (PAT) for both inside networks.

also configure the routes accordingly.