09-19-2018 02:22 AM
Hi , need help frm master to interpret the config below in ASA fw.many many thanks!
1)The NAT will happen whenever traffic flows from vlan-wlan->outside & vlan-mls->inside?
2)ASA will perform nat when doing nat configuration under "object network XXX"? not quite sure why nat config is done under object network object-172.10.254.0 & object network test-ip. Is this the normal way of doing nat?
object network object-172.10.254.0
nat (vlan-wlan,outside) dynamic interface
object network test-ip
nat (vlan-mls,inside) static 172.16.1.5
09-19-2018 07:02 AM - edited 09-19-2018 07:04 AM
object network object-172.10.254.0
nat (vlan-wlan,outside) dynamic interface
Answer: It is basically a PAT, the host or network included on the object called: object-172.10.254.0 will be NATed to the IP address located under the outside interface. Basically the inside interface is vlan-wlan and the outside interface is called outside (vlan-wlan,outside), the info into the ( ) represents the inside and outside interface, ingress and egress.
object network test-ip
nat (vlan-mls,inside) static 172.16.1.5
Answer: The host included into the object called test-ip will be mapped to the IP address 172.16.1.5. The test-ip must be behind the vlan-mls nameif interfance (ingress) and the IP 172.16.1.5 will be NAT IP located at the inside nameif interface.
09-20-2018 09:56 PM
09-21-2018 11:30 AM
If you want all traffic originating from vlan-wlan to be translated when it goes out the outside interface then you would use this command
nat (vlan-wlan,outside) dynamic interface
and if you want specifically traffic from 172.10.254.0 to be translated then you would use the object network approach.
HTH
Rick
09-24-2018 06:56 PM
09-25-2018 05:37 AM
The first nat is typically used when there is a site to site vpn. The vpn would be carrying traffic between 10.1.1.0 and 172.27.0.0. With a site to site vpn you typically do not want to translate the traffic going through the vpn. The other side of the vpn expects to see traffic with a source address of 10.1.1.x and not have that traffic translated so the source address would be the ASA interface. So basically what this command is saying is that 10.1.1.0 translates to 10.1.1.0 and 172.27.0.0 translates to 172.27.0.0.
The second nat command will translate all other traffic originating from the inside interface and going through the outside interface.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: