Solved: NAT Multiple Inside Subnets

joe.ho · ‎06-24-2011

Can anyone help me with the NAT command on 8.4? I am trying to PAT multipule Inside subnets to an IP address. With the example I found I can only PAT one subnet. If I do it the way I have below, it will end up with the last subnet (3.3.3.0) stay in the config. What is the best way of doing it? I have about 20 inside subnets I need to PAT.

object network obj-Inside-sub1

subnet 1.1.1.0 255.255.255.0
subnet 2.2.2.0 255.255.0.0
subnet 3.3.3.0 255.255.0.0
nat (inside,outside) dynamic 199.246.5.2

Thanks for the help

varrao · ‎06-24-2011

The config would look something like this:

object-group network all_subnets

network-object 1.1.1.0 255.255.255.0

network-object 2.2.2.0 255.255.0.0

network-object 3.3.3.0 255.255.0.0

object network patted_ip

host 199.246.5.2

Nat (inside,outside) source dynamic all_subnet patted_ip

And it shoudl work for all the subnets.

Hope this helps you

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎06-24-2011

Hey Joe,

What you see is the correct behavior, because for multiple subnets you need to use a object-group, which includes all three subnets.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎06-24-2011

The config would look something like this:

object-group network all_subnets

network-object 1.1.1.0 255.255.255.0

network-object 2.2.2.0 255.255.0.0

network-object 3.3.3.0 255.255.0.0

object network patted_ip

host 199.246.5.2

Nat (inside,outside) source dynamic all_subnet patted_ip

And it shoudl work for all the subnets.

Hope this helps you

Thanks,

Varun

Thanks,
Varun Rao

joe.ho · ‎06-25-2011

Thanks Varun, the command works. Now I am a bit confuse with the command. Would you able to point out why we do it this way?

When I put in the NAT any command like this:

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic 199.246.5.1

It will give me something like this in show run.

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any

nat (inside,outside) dynamic 199.246.5.1

When I put in the command you provide for NATing the specific inside subnet it doesn't turn out the same way as above. Show run only show me this line by itself.

Nat (inside,outside) source dynamic all_subnet patted_ip

Looks like the source keyword made a different. I did see some examples use the source keyword to NAT everything to outside. Which is a cleaner way of doing things?

varrao · ‎06-25-2011

Hi Joe.

There are two different types of nat in 8.4, Manual NAT(Twice NAT) and Auto NAT(Object NAT), the one that you were doing earler was Auto NAT (Object NAT) and the configuration that I gave you was for Manual NAT. There is no such difference, just what you are comfortable with. Manual NAT always takes precedence over Auto NAT. Here is a doc,kindly go through it:

http://www.cisco.com/en/US/customer/docs/security/asa/asa84/configuration/guide/nat_objects.html

Hope this helps you.

Thanks,

Varun

Thanks,
Varun Rao

joe.ho · ‎06-28-2011

Thanks for clarifying.

Stefan Amstutz · ‎08-25-2016

It worked for me as well.

Thanks