NAT Multiple Inside Subnets

Answered Question
Jun 24th, 2011

Can anyone help me with the NAT command on 8.4? I am trying to PAT multipule Inside subnets to an IP address. With the example I found I can only PAT one subnet. If I do it the way I have below, it will end up with the last subnet (3.3.3.0) stay in the config. What is the best way of doing it? I have about 20 inside subnets I need to PAT.

object network obj-Inside-sub1

subnet 1.1.1.0 255.255.255.0
subnet 2.2.2.0 255.255.0.0
subnet 3.3.3.0 255.255.0.0
nat (inside,outside) dynamic 199.246.5.2

Thanks for the help

I have this problem too.
0 votes
Correct Answer by varrao about 2 years 9 months ago

The config would look something like this:

object-group network all_subnets

network-object 1.1.1.0 255.255.255.0

network-object 2.2.2.0 255.255.0.0

network-object 3.3.3.0 255.255.0.0

object network patted_ip

host 199.246.5.2

Nat (inside,outside) source dynamic all_subnet patted_ip

And it shoudl work for all the subnets.

Hope this helps you

Thanks,

Varun

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
varrao Fri, 06/24/2011 - 22:52

Hey Joe,

What you see is the correct behavior, because for multiple subnets you need to use a object-group, which includes all three subnets.

Thanks,

Varun

Correct Answer
varrao Fri, 06/24/2011 - 22:57

The config would look something like this:

object-group network all_subnets

network-object 1.1.1.0 255.255.255.0

network-object 2.2.2.0 255.255.0.0

network-object 3.3.3.0 255.255.0.0

object network patted_ip

host 199.246.5.2

Nat (inside,outside) source dynamic all_subnet patted_ip

And it shoudl work for all the subnets.

Hope this helps you

Thanks,

Varun

joe.ho Sat, 06/25/2011 - 16:01

Thanks Varun, the command works. Now I am a bit confuse with the command. Would you able to point out why we do it this way?

When I put in the NAT any command like this:

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic 199.246.5.1

It will give me something like this in show run.

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any

nat (inside,outside) dynamic 199.246.5.1

When I put in the command you provide for NATing the specific inside subnet it doesn't turn out the same way as above. Show run only show me this line by itself.

Nat (inside,outside) source dynamic all_subnet patted_ip

Looks like the source keyword made a different. I did see some examples use the source keyword to NAT everything to outside. Which is a cleaner way of doing things?

varrao Sat, 06/25/2011 - 17:28

Hi Joe.

There are two different types of nat in 8.4, Manual NAT(Twice NAT) and Auto NAT(Object NAT), the one that you were doing earler was Auto NAT (Object NAT) and the configuration that I gave you was for Manual NAT. There is no such difference, just what you are comfortable with. Manual NAT always takes precedence over Auto NAT. Here is a doc,kindly go through it:

http://www.cisco.com/en/US/customer/docs/security/asa/asa84/configuration/guide/nat_objects.html

Hope this helps you.

Thanks,

Varun

Actions

Login or Register to take actions

This Discussion

Posted June 24, 2011 at 10:02 PM
Stats:
Replies:5 Avg. Rating:
Views:2830 Votes:0
Shares:0
Tags: nat, asa, 8.4
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446