02-15-2017 09:56 AM - edited 03-12-2019 01:56 AM
I'm trying to wrap my head around the new NAT in v8.4 and greater - specifically 9.4.
For a VPN policy I need to NAT hosts before encryption.
I have a need to upgrade a 5510 running 8.2(5) and one of the issues is NAT.
I'm familiar with 8.2 policy-nat in this situation.
Example Local to Global Translation
NAT 10.1.1.1 to 20.1.1.1
NAT 10.1.1.2 to 20.1.1.2
!
object network Local-10.1.1.1_32
host 10.1.1.1
object network Global-20.1.1.1_32
host 20.1.1.1
!
object network Local-10.1.1.2_32
host 10.1.1.2
object network Global-20.1.1.2_32
host 20.1.1.2
object-group network LocalHosts
network-object object Local-10.1.1.1_32
network-object object Local-10.1.1.2_32
object-group network GlobalHosts
network-object object Global-20.1.1.1_32
network-object object Global-20.1.1.2_32
!
object network RemoteNET-30.1.1.0_24
subnet 30.1.1.0 255.255.255.0
In the simple case of just one host to translate I have before my auto NAT:
nat (inside,outside) 1 source static Local-10.1.1.1_32 Global-20.1.1.1_32 destination static RemoteNET-30.1.1.0_24 RemoteNET-30.1.1.0_24
Since the above is not identity-nat I can't add no-proxy-arp route-lookup to the end.
Also the 'match address' ACL in the crypto map would look like:
access-list Global-2-Remote extended permit ip object GlobalHosts object RemoteNET-30.1.1.0_24
So my question is do I just add more NAT statements for each additional Local/Global pair or can I use an object-group(s) in one NAT statement?
Thanks for your help.
02-15-2017 10:01 AM
If each Local/Global pair has it's own translation, then you need one NAT-entry for each element. But all systems that share the same NAT (or NAT exemption) can be grouped into an object-group.
02-15-2017 10:32 AM
I do have more that one remote network for each VPN policy so I know I can create an object-group for them:
nat (inside,outside) 1 source static LOCAL GLOBAL destination ALLREMOTEs ALLREMOTEs
I understand the separate NAT-entry for each Local/Global pair (as I posited), but I'm not following you about the object-grouping. Can you elaborate on that with an example?
02-15-2017 10:46 AM
An example could be that you want to exempt all traffic from NAT that uses private addresses. There you have an object-group with three entries:
object-group network RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0
This object-group can be used in a NAT-statement to exempt the traffic from NAT regardless if it's a 10/8, 172.16/12 or 192.168/16 address:
nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp route-lookup
02-16-2017 03:04 AM
Hello Karsten! Does NAT exemption mechanism translate an address into itself or it does not translation at all ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide