Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
2
Replies

Dynamic PAT with Twice NAT on ASA 8.3+

c.fuller
Level 1
Level 1

‎11-05-2013 08:49 AM - edited ‎03-07-2019 04:26 PM

Looking for the most efficient configuration to get dynamic PAT working with TWICE NAT in section 3.

First I setup a object-group for the IP range to be PAT'd

object-group network obj-10.20.0.0

        network-object 10.20.0.0. 255.255.0.0

Next I configure the NAT statement.

         nat (inside, outside) after-auto source dynamic obj-10.20.0.0 <public IP>

I get an error message complaining that the pubic-ip is not an object or object-group.

I read in config guide that you can use public-ip inline, instead of having to create a

separate object-group.

My question is do I have to create a separate object-group for the public-ip used in the

NAT statement or can I use it inline.   If it can be used inline what am I missing or doing

wrong?

Thanks

Labels:
0 Helpful
2 Replies 2

JohnTylerPearce
Level 7
Level 7

‎11-05-2013 10:15 AM

With the new ASA code 8.3+, NAT is applied in the following order

1) Manual Nat / Twice Nat (same thing different names)

2) Auto-NAT

3) Auto-After NAT

It looks like this is just for source NATnd and not Source and destination NATng.

If this is the case, and the Nat statement doesn't need to be Auto-After I would do the following.

object network obj-LocalLAN

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic

If this needs to be moved down to 3rd in the list in order of preference, then do the following.

Example: nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

The 'after-auto' basically moves it down to 3rd on the list in order of preference listed above.

Try the following and let me know how it goes

nat (inside,outside) after-auto source dynamic obj-10.20.0.0 destination ? and see if you can can "interface" or "ip" after that.

0 Helpful

c.fuller
Level 1
Level 1
In response to JohnTylerPearce

‎11-05-2013 10:45 AM

So the option for "interface" is available after "nat (inside, outside) after-auto source dynamic obj-10.20.0.0 destination"

However, I want to translate this pool of addresses to a specific public address.   Not the interface IP of the outside interface.

"ip" was not available after destination.   Which is what I would prefer to use.   I'd like to specify exactly the public IP to use and have it inline if possible so I can easily know what the IP is by looking at the nat configuration line.

In regards to section 1 vs. section 3.   I read that dynamic PAT is generally implemented in section 3.    That is why I am attempting to configure it there.   I'd like the static NATs to take precedence over the dynamic PATS.   I don't want the dynamic PATs (if configured in section 1) to translate something that should be translated statically in section 2.  

Know what I mean?

I know I can implement dynamic PAT in section 2 as well using network object NAT.   It just seemed it would be a little easier to use object-groups and twice-nat in section 3 in terms of number of configuration lines and making sure without a doubt static nats in section 2 were precedent over dynamic pats in section 3.........

Thanks for your reply...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card