04-29-2015 04:44 AM - edited 03-05-2019 01:21 AM
How would the following NAT statement look on the ASA and why wont the ASA take the line of config even though I have created the object for it
the PIX config is like this :
global (outside) 1 aa.bb.53.197
on the ASA
I thought the config would be as simple as this
nat (any,outside) 1 source static any any destination static aa.bb.53.197
I keep getting an Error though
Belgium-ASA01-5515X(config)# nat (any,outside) 1 source static any any destina$
ERROR: object doesn't match an existing object or object-group
ASA5515X(config)# object network aa.bb.53.197
ASA5515X(config-network-object)# host aa.bb.53.197
Please someone provide me with some guidance
Solved! Go to Solution.
04-29-2015 05:48 AM
There are a couple of ways of achieving this and it is to do with the ordering of NAT statements by sections which didn't happen with the 8.2 and previous NAT.
Have a look at this thread and see Jouni's answer.
He has also linked to a very good document he has written on this forum and it is worth reading to get a good understanding of the 8.3 onwards NAT -
if you still have queries then by all means come back.
Jon
04-29-2015 06:03 AM
AV
No problem but I'm still not sure that line is correct unless you are saying it is working.
You want a dynamic NAT not a static NAT because that would be the equivalent of your global statement which is a dynamic NAT statement.
Jon
04-29-2015 05:12 AM
You are trying to do different things with the NAT statements
Your global statement is dynamic NAT and will translate source IPs.
But then you are using a static statement in your other NAT.
What exactly are you trying to do ?
Jon
04-29-2015 05:48 AM
Hi Jon
Thanks for responding!
We are getting rid of the Cisco PIX and migrating to a Cisco ASA. The NAT statement taken from the PIX is natting anything to the address aa.bb.53.197 with this line
global (outside) 1 aa.bb.53.197
Im simply trying to add this Like for Like on the ASA, However the ASA configuration is taken slightly differently hence the static statement
All i want to do is do the above on the ASA
I though the config would look like this
nat (any,outside) source static any any destination static aa.bb.53.197 aa.bb.53.197
please correct me if I am wrong
04-29-2015 05:48 AM
There are a couple of ways of achieving this and it is to do with the ordering of NAT statements by sections which didn't happen with the 8.2 and previous NAT.
Have a look at this thread and see Jouni's answer.
He has also linked to a very good document he has written on this forum and it is worth reading to get a good understanding of the 8.3 onwards NAT -
if you still have queries then by all means come back.
Jon
04-29-2015 05:57 AM
Hi Jon
Thanks for the information and the article by Jouni really helpe, So after reviewing I got rid of this line
nat (any,outside) source static any any destination static aa.bb.53.197 aa.bb.53.197
and replaced it with
nat (any,outside) after-auto source static aa.bb.53.197 aa.bb.53.197 no-proxy-arp
Thanks
AV
04-29-2015 06:03 AM
AV
No problem but I'm still not sure that line is correct unless you are saying it is working.
You want a dynamic NAT not a static NAT because that would be the equivalent of your global statement which is a dynamic NAT statement.
Jon
04-29-2015 06:40 AM
Hi Jon
I belive you are right, I simply want to replicate the statement and not modify it in any way, This has not been tested yet as we are preparing the ASA for trial run next week. So I have removed this line
nat (any,outside) after-auto source static aa.bb.53.197 aa.bb.53.197 no-proxy-arp
and replaced with
nat (any,outside) after-auto source dynamic aa.bb.53.197 aa.bb.53.197
04-30-2015 09:29 AM
Hi Jon
Further to my quest to conquer NAT on PIX vs ASA. I have found an issue when following the guides for the post 8.3 ASA Nonat policy.
The Rules on the PIX are straight forward he is an example
nat (inside) 0 access-list nonat2
and the ACLS on the PIX follow suit
access-list nonat2 permit ip aa.bb.53.0 255.255.255.128 10.0.0.0 255.0.0.0
Following the instructions for the NAT Statement
I created my object groups for the Source and Destination networks
object network Local_LANS_1
subnet aa.bb.53.0 255.255.255.128
object network Remote_LANS_1
subnet 10.0.0.0 255.0.0.0
my NAT following the guide turned out like this
(1) nat (inside,outside) after-auto source dynamic Local_LANS_1 Local_LANS_1 destination Remote_LANS_1 Remote_LANS_1
However the above command doesnt get taken by the ASA (5515X) ver 8.6(1)2
After destination it only give me the option for static is this right as my Source is Dynamic I wouldnt think the Destination would be static and I have not found any examples of Dynamic to Static
I need to know otherwise my script to migrate the Nonats is futile
any assistance would be appreciated
04-30-2015 02:54 PM
That is a NAT exemption so it should be -
nat (inside,outside) source static Local_LANS_1 Local_LANS_1 destination static REMOTE_LANS_1 REMOTE_LANS_ 1
couple of points -
1) you are not actually translating your source IPs to anything else so it isn't really a dynamic statement
2) the document I linked to recommends these go in section 1 because if you put them in section 3 (with the after-auto keyword) there is a high chance there could be other rules in the earlier sections that override them.
Up to you really but it may avoid problems later on.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide