Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

8.2 to 8.3 static nat question

So, in 8.2 If I had an inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and I wanted traffic to traverse between the two to interfaces, I could write the following statement:

static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

What would this look like in 8.3?

Thanks!

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re:8.2 to 8.3 static nat question

In 8.3 version nat statement depends on object. You need to create object for the source ip as well nat ip and call the object in nat statement.
Object network
Host/Range/Subnet IP Address

Object network obj-10.10.10.0
Subnet 10.10.10.0 255.255.255.0
Exit

Nat (inside,mpls) sourse static obj-10.10.10.0 obj-10.10.10.0

This statement will work in similar way which u expect. You can mention nat wit respect to specific destination (similar to policy nat)

Nat (inside,mpls) source static obj-10.10.10.0 obj-10.10.10.0. Destination static obj-4.4.4.4 obj-4.4.4.4

Regards
Gk

4 REPLIES
New Member

Re:8.2 to 8.3 static nat question

In 8.3 version nat statement depends on object. You need to create object for the source ip as well nat ip and call the object in nat statement.
Object network
Host/Range/Subnet IP Address

Object network obj-10.10.10.0
Subnet 10.10.10.0 255.255.255.0
Exit

Nat (inside,mpls) sourse static obj-10.10.10.0 obj-10.10.10.0

This statement will work in similar way which u expect. You can mention nat wit respect to specific destination (similar to policy nat)

Nat (inside,mpls) source static obj-10.10.10.0 obj-10.10.10.0. Destination static obj-4.4.4.4 obj-4.4.4.4

Regards
Gk

New Member

8.2 to 8.3 static nat question

That did it!  That should allow for communication to take place both ways, right?

Thanks!

Super Bronze

8.2 to 8.3 static nat question

Hi,

The above NAT rule should enable bidirectional connection establishment. (Provided that the interface ACL allow the traffic)

Though usually if you dont want to NAT the source or destination network then you should not need any NAT configuration in the new software.

But this depends on the rest of the NAT configuration which we have not seen.

- Jouni

Super Bronze

8.2 to 8.3 static nat question

Hi,

In the 8.3+ software levels you dont need any NAT configuration between 2 interfaces if you dont need to specifically NAT something.

If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)

If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured

- Jouni

235
Views
0
Helpful
4
Replies
CreatePlease to create content