Re: configuration NAT overload for ASA 5525

MohammadSalih · ‎12-22-2022

hi every one ,

i want to configure NAT over load

i have one public ip address 37.x.x.x

and pool of private ip addresses 70.70.x.x

when i configure natting by typing

nat (inside,outside) soure (static or dynamic) ,

there is no PAT configuration , because i want every private IPs share one public ip.

MHM Cisco World · ‎12-22-2022

nat (inside,outside) source dynamic any interface <<<- I use this for NAT overload

paul driver · ‎12-22-2022

Hello @MHM Cisco World
FYI
nat (inside,outside) source dynamic any interface = Section 1
nat (inside,outside) after-auto source dynamic any interface = Section 3

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎12-22-2022

both are NAT overload
after-auto just change the orde of NAT not change the NAT type.

paul driver · ‎12-22-2022

Hello
What im trying to allude to is you wouldn't want dynamic PAT (overload) to be in section 1, its a catch all statement as such if you need to append additional statements then you would have to re-order the NAT to accommodate , so would say its recommended to use section 3.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-22-2022

Hello,

post the full running configuration (sh run) of your ASA.

MohammadSalih · ‎12-22-2022

thanks for replying

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 37.X.X.194 255.255.255.248

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 70.70.2.1 255.255.255.0

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 70.70.3.1 255.255.255.0

object network public_LAN1
host 37.X.X.195
object network public_LAN2
host 37.X.X.196

object-group network private_LAN1
network-object 70.70.2.0 255.255.255.0
object-group network private_LAN2
network-object 70.70.3.0 255.255.255.0

(just missing the NAT/PAT command)

paul driver · ‎12-22-2022

Hello

ASA NAT/PAT you can apply it two ways:
Manual NAT (globally) or Auto NAT (under an object)

It also has 3 sections (Default 1)
Manual NAT can be set in Section 1 or 3 (after auto)
Auto NAT = Section 2.

These sections are checked in order (1,2,3)
Manual
Auto
After Auto

Lastly in each section the nat rules are ordered sequentially just like within an access-list.

Can you post the following.
sh run nat
sh nat
sh run object
sh run object-group
sh run access-list
sh run access-group

Also perform a packet tracer and post the output.
packet-tracer input INSIDE tcp < lan ip> 12345 <internet ip> 80

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MohammadSalih · ‎12-22-2022

thanks for replying

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 37.X.X.194 255.255.255.248

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 70.70.2.1 255.255.255.0

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 70.70.3.1 255.255.255.0

object network public_LAN1
host 37.X.X.195
object network public_LAN2
host 37.X.X.196

object-group network private_LAN1
network-object 70.70.2.0 255.255.255.0
object-group network private_LAN2
network-object 70.70.3.0 255.255.255.0

(just missing the NAT/PAT command)

MHM Cisco World · ‎12-22-2022

then just add NAT as I mention above.
good luck friend

MohammadSalih · ‎12-22-2022

thanks alot for help,

i will apply this command (nat (inside,outside) source dynamic any interface) as you mentioned me,

but how to Control NATTING transluations

over more than one public?

i want 70.70.2.0/24 goes to 37.X.X.195

and

70.70.3.0/24 goes to 37.X.X.196

how can i deploy it in nat command?

MHM Cisco World · ‎12-22-2022

I will share lab with you tonight.

MohammadSalih · ‎12-22-2022

thanks alot .

paul driver · ‎12-22-2022

Hello

@MohammadSalih wrote:

over more than one public?

i want 70.70.2.0/24 goes to 37.X.X.195

and

70.70.3.0/24 goes to 37.X.X.196

how can i deploy it in nat command?

object network Inside_1
Subnet 70.70.2.0 255.255.255.0

object network outside1
host 37.X.X.195

object network Inside_2
subnet 70.70.2.0 255.255.255.0

object network outside2
host 37.X.X.196

nat (inside,outside) 1source dynamic Inside_1 outside1
nat (inside,outside) 2 source dynamic Inside_2 outside2
nat (inside,outside) after-auto source dynamic any interface

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MohammadSalih · ‎12-22-2022

i will try it.

thanks very much.