11-05-2013 08:49 AM - edited 03-07-2019 04:26 PM
Looking for the most efficient configuration to get dynamic PAT working with TWICE NAT in section 3.
First I setup a object-group for the IP range to be PAT'd
object-group network obj-10.20.0.0
network-object 10.20.0.0. 255.255.0.0
Next I configure the NAT statement.
nat (inside, outside) after-auto source dynamic obj-10.20.0.0 <public IP>
I get an error message complaining that the pubic-ip is not an object or object-group.
I read in config guide that you can use public-ip inline, instead of having to create a
separate object-group.
My question is do I have to create a separate object-group for the public-ip used in the
NAT statement or can I use it inline. If it can be used inline what am I missing or doing
wrong?
Thanks
11-05-2013 10:15 AM
With the new ASA code 8.3+, NAT is applied in the following order
1) Manual Nat / Twice Nat (same thing different names)
2) Auto-NAT
3) Auto-After NAT
It looks like this is just for source NATnd and not Source and destination NATng.
If this is the case, and the Nat statement doesn't need to be Auto-After I would do the following.
object network obj-LocalLAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic
If this needs to be moved down to 3rd in the list in order of preference, then do the following.
Example: nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
The 'after-auto' basically moves it down to 3rd on the list in order of preference listed above.
Try the following and let me know how it goes
nat (inside,outside) after-auto source dynamic obj-10.20.0.0 destination ? and see if you can can "interface" or "ip" after that.
11-05-2013 10:45 AM
So the option for "interface" is available after "nat (inside, outside) after-auto source dynamic obj-10.20.0.0 destination"
However, I want to translate this pool of addresses to a specific public address. Not the interface IP of the outside interface.
"ip" was not available after destination. Which is what I would prefer to use. I'd like to specify exactly the public IP to use and have it inline if possible so I can easily know what the IP is by looking at the nat configuration line.
In regards to section 1 vs. section 3. I read that dynamic PAT is generally implemented in section 3. That is why I am attempting to configure it there. I'd like the static NATs to take precedence over the dynamic PATS. I don't want the dynamic PATs (if configured in section 1) to translate something that should be translated statically in section 2.
Know what I mean?
I know I can implement dynamic PAT in section 2 as well using network object NAT. It just seemed it would be a little easier to use object-groups and twice-nat in section 3 in terms of number of configuration lines and making sure without a doubt static nats in section 2 were precedent over dynamic pats in section 3.........
Thanks for your reply...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide