Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6739
Views
10
Helpful
3
Replies

What does the "object network obj_any" commands do?

Go to solution
rweir0001
Level 1
Level 1

‎06-22-2016 08:28 AM - edited ‎03-12-2019 12:56 AM

I'm trying to determine what these configurations mean:


object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj_any-01
subnet 0.0.0.0 0.0.0.0

object network obj_any-02
subnet 0.0.0.0 0.0.0.0

object network obj_any-03
subnet 0.0.0.0 0.0.0.0


object network obj_any
nat (inside,outside) dynamic interface

object network obj_any-01
nat (inside,outside2) dynamic interface

object network obj_any-02
nat (dmz,outside) dynamic interface

object network obj_any-03
nat (dmz,outside2) dynamic interface


From what I can gather they were a replacement for the "nat-control" command in ASA versions prior to 8.3.x. I believe that they allow traffic between interfaces without a NAT policy being configured, and that the 0.0.0.0 means that it refers to any IP address not already configured via another policy. If anyone could provide me with a clear explanation it would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kornelia Gutierrez
Level 1
Level 1

‎06-24-2016 12:32 PM

Hello,

Those rules are doing a dynamic port translations between inside and outside interface, inside  and outside2 and so on. Those are the replacement on post 8.3 code for regular nat.

Example:

In 8.2 code if you will do a pat for your internal subnet to reach internet:

nat (dmz) 1 0 0

nat (inside) 1  0 0

global (outside) 1 interface

This will be automatically migrated by the ASA and the replacement for that nat translation is the following:

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj_any
nat (inside,outside) dynamic interface

object network obj_any-02
subnet 0.0.0.0 0.0.0.0

object network obj_any-02
nat (dmz,outside) dynamic interface

It is basically telling the ASA if any subnet in the inside world or dmz world tries to reach out the internet well translate them and let them go out using the ip address of the outside interface.

After 8.3 nat rules are object oriented and you must create objects containing ip addresses and subnets in order to build nat rules. The the type of nat that you shared and called auto object nat rules that belong to section 2 of the nat table, in there one object can be used to build a nat at a time for that reason several objects with different names are created to build the differet pat rules for the dmz and inside interfaes when going out.

Check the following links for more information:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps!

Best regards,

Kornelia Gutierrez

View solution in original post

3 Replies 3

Go to solution
Richard Bradfield
Level 6
Level 6

‎06-24-2016 01:18 AM

I think you are pretty much spot on, I think the objects "ob_any" are created during migration. I also think to get the full explanation you would have to look at the pre8.3 configuration and see the resulting post migration configuration differences

Go to solution
Kornelia Gutierrez
Level 1
Level 1

‎06-24-2016 12:32 PM

Hello,

Those rules are doing a dynamic port translations between inside and outside interface, inside  and outside2 and so on. Those are the replacement on post 8.3 code for regular nat.

Example:

In 8.2 code if you will do a pat for your internal subnet to reach internet:

nat (dmz) 1 0 0

nat (inside) 1  0 0

global (outside) 1 interface

This will be automatically migrated by the ASA and the replacement for that nat translation is the following:

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj_any
nat (inside,outside) dynamic interface

object network obj_any-02
subnet 0.0.0.0 0.0.0.0

object network obj_any-02
nat (dmz,outside) dynamic interface

It is basically telling the ASA if any subnet in the inside world or dmz world tries to reach out the internet well translate them and let them go out using the ip address of the outside interface.

After 8.3 nat rules are object oriented and you must create objects containing ip addresses and subnets in order to build nat rules. The the type of nat that you shared and called auto object nat rules that belong to section 2 of the nat table, in there one object can be used to build a nat at a time for that reason several objects with different names are created to build the differet pat rules for the dmz and inside interfaes when going out.

Check the following links for more information:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps!

Best regards,

Kornelia Gutierrez

Go to solution
Techme
Level 1
Level 1

‎06-29-2023 07:54 AM

Hi,

I know this is an old post but I seesn the same nat rule. On my systems we currently use public subnets, will this allow the machines on the inside interface to access the internet with their own ip address or it will show the firewall ip?

Kind Regards,

  Antonio

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card