cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
604
Views
0
Helpful
4
Replies

Shorter way to create NATs on ASA?

Hello,

Is there a simpler/shorter way to create these NATs in few lines?

object network nat-outside-public
 host a.b.c.d <<< public IP


object network outside-in-192-168-3-2:50200
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50200 50200

object network outside-in-192-168-3-2:50201
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50201 50201

object network outside-in-192-168-3-2:50202
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50202 50202

object network outside-in-192-168-3-2:50203
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50203 50203

object network outside-in-192-168-3-2:50204
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50204 50204

object network outside-in-192-168-3-2:50205
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50205 50205

object network outside-in-192-168-3-2:50206
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50206 50206

object network outside-in-192-168-3-2:50207
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50207 50207

object network outside-in-192-168-3-2:50208
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50208 50208

object network outside-in-192-168-3-2:50209
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service tcp 50209 50209

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Define a service range first like this:

 

object service somename-Source-NAT

 service tcp source range 50200 50209

 

Then use it in a single NAT statement:

 

object network outside-in-192-168-3-2
 host 192.168.3.2
 nat (inside2,outside) static nat-outside-public service somename-Source-NAT

Thanks for the reply.
For some reason that command isn't supported on my ASA 9.1(7)4 ?

(config-network-object)# nat (inside2,outside) static nat-outside-public service ?
network-object mode commands/options:
tcp TCP to be used as transport protocol
udp UDP to be used as transport protocol

If you have any thoughts on that, it would be very much appreciated.

Thanks, Simon

You're right - sorry about the earlier incorrect advice.  I just tried it on my ASA running 9.8(1)7 and even there we cannot use service groups in a NAT rule.

 

It looks like using individual rules is the only way to do this.

Thanks for the feedback.

Review Cisco Networking for a $25 gift card