Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
2
Replies

ASA5520 v8.2 to v9.1 Dynamic NAT help

moored
Beginner
Beginner

‎02-02-2014 02:23 AM - edited ‎03-04-2019 10:14 PM

I need to allow internal hosts that do not have a public static IP to be able to communicate with internet hosts, ie download software from the Internet

My public address range is 122.252.14.240/28

My internal IP address range is 192.168.100.0/24

The ASA5520 is on 192.168.100.254

This is the nat rule I have in an older ASA5510 software version

ASA Version 8.2(1)

global (outside1) 1 interface
nat (Inside1) 1 INT_Net 255.255.255.0
access-group outside in interface outside1
route outside1 0.0.0.0 0.0.0.0 122.252.14.241 1

I am commissioning an ASA5520 The ASA Version is 9.1(4)

When I run: global (outside1) 1 interface

I am getting
ERROR: This syntax of nat command has been deprecated.

can somebody help me re write this rule.

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

‎02-02-2014 03:06 AM

David

You may want to look at the document link at the bottom which gives all the examples of how to configure 8.3 NAT onwards. You can download the pictures section separately and it gives specific examples. When you configure with the new NAT you need to configure it all in one because of the way it groups it together in the configuration.

What i mean by this is that you should not reference your existing INT_Net as it would not be grouped with the rest of the specific NAT configuration.

There are basically two ways to configure what you are trying to do but you should read the document because depending on the other NAT on your ASA you might need to use one or the other ie. section 1 dynamic PAT or section 3 dynamic PAT.

Section 1

=======

object network

network 192.168.100.0 255.255.255.0

nat (inside,outside) dynamic interface

Section 3

=======

object-group network

network-object 192.168.100.0 255.255.255.0

nat (inside,outside) after-auto source dynamic interface

either may be alright for you but worth reading the document to get an idea of how it all works -

https://supportforums.cisco.com/docs/DOC-31116

Jon

0 Helpful

moored
Beginner
Beginner
In response to Jon Marshall

‎02-02-2014 03:28 AM

Thanks for the reply, I tried option 1 to start with and it seems to work ok.

I made a small change as I got an error:

network 192.168.100.0 255.255.255.0

changes to:

subnet 192.168.100.0 255.255.255.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents