Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
5
Helpful
5
Replies

WHAT is being natted here? There is no identity (?). (mis-print?)

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-20-2023 08:50 AM - edited ‎02-20-2023 12:39 PM

From book- "Cisco-ASA" 3rd edition, p355.

"Dynamically translate the internal network 192.168.10.0 when traffic is going out to the internet using the outside interface's address."
"Statically translate all traffic for an internal web server located at 192.168.10.10. The translated address should be 209.165.200.240."

#object network Internal-NETWORK
#subnet 192.168.10.0 255.255.255.0  !! <== Here is the identity of this object. !!
#nat (inside, outside) dynamic interface
#exit
#object network Internal-WEB-SERVER

                                                            !! <== shouldn't a defined object identity live at this point in the config? !!
#nat (inside,outside) static 209.165.200.240

(This is the end of a complete configuration.)

Question: Doesn't the snippet...
#object network internal-web
#nat (inside,outside) static 209.165.200.240
... also require a defining of the identity of this object that is being defined, such as "host 192.168.1.1", or "network 192.168.10.0 255.255.255.0" or other?

Put another way-- WHAT is being natted? There is no identity (?).

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-20-2023 08:59 AM

@jmaxwellUSAF yes you need to define the host in the object configuration.

You can detail what is actually configured by running "show nat detail" it will show you all the information related to that NAT object configuration.

 

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-20-2023 08:59 AM

@jmaxwellUSAF yes you need to define the host in the object configuration.

You can detail what is actually configured by running "show nat detail" it will show you all the information related to that NAT object configuration.

 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎02-20-2023 12:38 PM

So, is that a book typo...

or...

does that config work as is?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎02-20-2023 12:53 PM

@jmaxwellUSAF  I don't have access to the book you are referring to, so I can only guess what you actually mean.

You'd create and object, define the host IP address or subnet and configure NAT.

object network HOST
 host 192.168.10.1
 nat (i,o) dynamic interface

You would need to run show run object which displays the object name and host/subnet and then run show run nat to display the NAT configuration for that same object.

DC-1(config-network-object)# show run object
object network HOST
 host 192.168.10.1

DC-1(config-network-object)# show run nat
object network HOST
 nat (INSIDE,OUTSIDE) dynamic interface

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎02-20-2023 09:40 AM

as I know you can config fist the subnet or host of object-group 
then you can called this object-group for NATing 
or do both steps in same time 
first config the subnet or host then config NATing in second line. 
there is no different. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎02-20-2023 12:42 PM

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

 

take look for this link 
there are many NAT exmaple as I mention before 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card