Questions about NAT on an ASA

JoshuaHardesty5507 · ‎09-16-2019

Hello!

I'm trying to wrap my head around NAT rules and how the system processes them. I understand that the manual NAT section comes before the auto / object NAT section which comes before manual NATs that we deprioritize.

WIthin each section, then, NAT rules are processed on a first-come basis, so, we put more specific NAT rules above more generic ones. What happens when things have equal specificity? Let's say I want to NAT an inside server to two different interfaces with different translated addresses?

JoshuaHardesty5507 · ‎09-16-2019

Furthering my own thoughts here...

Lets say I have the following (obviously this isn't proper syntax):

object network inside_subnet subnet 10.1.0.0/16

interface inside (10.1.0.0/16 range)

interface outside1 (number of private IP addresses)

interface outside2 (number of different private IP addresses)

Currently I'm NAT'ing into interface one as nat (inside,outside1) source static inside_subnet inside_subnet. If I add a second line nat (inside,outside2) source static inside_subnet inside_subnet after the first it's going to be ignored because it matched the first line. If I add the outside2 nat before outside1, then outside1 fails.

Lightbulbs are starting to go off. In each of those nat statements I should add the destination ranges too, something like:

nat (inside,outside1) source static inside_subnet inside_subnet destination static outside1_IP_ranges outside1_IP_ranges

nat (inside,outside2) source static inside_subnet inside_subnet destination static outside2_IP_ranges outside2_IP_ranges