Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
5
Helpful
2
Replies

NAT issue

jbrannen
Level 1
Level 1

‎04-22-2022 09:00 AM

Current setup

All internal traffic hits the perimeter firewall (Cisco ASA) and either has a static nat translation to a public IP or it gets assigned one via the following statement

nat (any,OUTSIDE) after-auto source dynamic any pat-pool obj-global-egress

We currently have some policy nats as well for specific internal ip addresses to pass the firewall without translation to a public IP
This was accomplished via the following statements

object network obj-10.2.205.121
host 10.2.205.121
object network obj-10.2.205.124
host 10.2.205.124
object network obj-10.2.205.138
host 10.2.205.138
object network obj-10.2.205.139
host 10.2.205.139

nat (INSIDE,OUTSIDE) source dynamic obj-10.2.205.121 obj-10.2.205.121 destination static EXT_DEST EXT_DEST
nat (INSIDE,OUTSIDE) source dynamic obj-10.2.205.124 obj-10.2.205.124 destination static EXT_DEST EXT_DEST
nat (INSIDE,OUTSIDE) source dynamic obj-10.2.205.138 obj-10.2.205.138 destination static EXT_DEST EXT_DEST
nat (INSIDE,OUTSIDE) source dynamic obj-10.2.205.139 obj-10.2.205.139 destination static EXT_DEST EXT_DEST


However i now need to find out how to accomplish the same with a set of subnets instead of individual hosts.

For example i need to pass the following networks through the firewall without translating the source address (or simply retain the original address), while traffic from other networks will continue to hit the global egress nat statement above.

10.250.0.0/16
10.6.18.0/23
10.2.160.0/19
10.2.192.0/23

Labels:
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎04-22-2022 09:19 AM - edited ‎04-22-2022 09:19 AM

 

You can just use the subnet keyword in your objects eg. - 

 

object network obj-10.250.0.0-16
subnet 10.250.0.0 255.255.0.0

 

etc. 

 

and then reference them in your NAT statements. 

 

Jon

0 Helpful

paul driver
VIP
VIP

‎04-22-2022 11:57 AM - edited ‎04-22-2022 12:00 PM

Hello
You could probably use an object-group then add all the network objects and use a single nat statement 


object-group network NAT
network-object obj-10.2.205.121
network-object obj-10.2.205.124
or
network-object  host xxx
network-object host xxy


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents