06-22-2016 08:28 AM - edited 03-12-2019 12:56 AM
I'm trying to determine what these configurations mean:
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside2) dynamic interface
object network obj_any-02
nat (dmz,outside) dynamic interface
object network obj_any-03
nat (dmz,outside2) dynamic interface
From what I can gather they were a replacement for the "nat-control" command in ASA versions prior to 8.3.x. I believe that they allow traffic between interfaces without a NAT policy being configured, and that the 0.0.0.0 means that it refers to any IP address not already configured via another policy. If anyone could provide me with a clear explanation it would be greatly appreciated.
Solved! Go to Solution.
06-24-2016 12:32 PM
Hello,
Those rules are doing a dynamic port translations between inside and outside interface, inside and outside2 and so on. Those are the replacement on post 8.3 code for regular nat.
Example:
In 8.2 code if you will do a pat for your internal subnet to reach internet:
nat (dmz) 1 0 0
nat (inside) 1 0 0
global (outside) 1 interface
This will be automatically migrated by the ASA and the replacement for that nat translation is the following:
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
nat (dmz,outside) dynamic interface
It is basically telling the ASA if any subnet in the inside world or dmz world tries to reach out the internet well translate them and let them go out using the ip address of the outside interface.
After 8.3 nat rules are object oriented and you must create objects containing ip addresses and subnets in order to build nat rules. The the type of nat that you shared and called auto object nat rules that belong to section 2 of the nat table, in there one object can be used to build a nat at a time for that reason several objects with different names are created to build the differet pat rules for the dmz and inside interfaes when going out.
Check the following links for more information:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps!
Best regards,
Kornelia Gutierrez
06-24-2016 01:18 AM
I think you are pretty much spot on, I think the objects "ob_any" are created during migration. I also think to get the full explanation you would have to look at the pre8.3 configuration and see the resulting post migration configuration differences
06-24-2016 12:32 PM
Hello,
Those rules are doing a dynamic port translations between inside and outside interface, inside and outside2 and so on. Those are the replacement on post 8.3 code for regular nat.
Example:
In 8.2 code if you will do a pat for your internal subnet to reach internet:
nat (dmz) 1 0 0
nat (inside) 1 0 0
global (outside) 1 interface
This will be automatically migrated by the ASA and the replacement for that nat translation is the following:
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
nat (dmz,outside) dynamic interface
It is basically telling the ASA if any subnet in the inside world or dmz world tries to reach out the internet well translate them and let them go out using the ip address of the outside interface.
After 8.3 nat rules are object oriented and you must create objects containing ip addresses and subnets in order to build nat rules. The the type of nat that you shared and called auto object nat rules that belong to section 2 of the nat table, in there one object can be used to build a nat at a time for that reason several objects with different names are created to build the differet pat rules for the dmz and inside interfaes when going out.
Check the following links for more information:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps!
Best regards,
Kornelia Gutierrez
06-29-2023 07:54 AM
Hi,
I know this is an old post but I seesn the same nat rule. On my systems we currently use public subnets, will this allow the machines on the inside interface to access the internet with their own ip address or it will show the firewall ip?
Kind Regards,
Antonio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide