Yesterday I had a serious problem doing nat to a server I had to create a nat between inside and outside. The server already had an object created with a nat between inside and dmz, so I used the same object and set the nat to outside, thinking it's not a problem because they are different networks. Something like this:
The cli allowed me to do so but deleted the existing nat between inside and dmz without any notice.
But many things stopped working
Now I understand I need to create a separate object for each nat, right?
But on the other hand I think that the CLI is not robust enough because it had deleted the configuration of a nat between different networks which is quite dangerous. If the CLI delete a nat without your intervention, would not it be better that forces you to negate the previous nat ?
I think are quite dangerous to allow these configuration changes without notice.
The ASA does not really give any confirmation messages with regards to normal configuration commands. From my expirience it tends to only give warning/error messages when some command is not supported either because of wrong configuration mode or some other conflicting configuration present on the ASA. Naturally there are some commands for which the ASA provides a confirmation prompt on the CLI.
I did a quick check on a ASA Configuration Guide and did not find a specific section explaining clearly that the Network Object NAT (or Auto NAT) is generally only meant for configuring 1 NAT per object. It did atleast mention that there can only be one real/local address/subnet/range configured under the "object".
So in your case where you want to configure NAT towards 2 different interfaces you will have to configure separate "object" for both "nat" command. The "object" configuration only support single "host" , "subnet" or "range" configuration under it and also only one "nat" command. If already configured and you enter another command it will replace the current one.
There is one case where you can use a single Network Object NAT (or Auto NAT) to configure NAT towards multiple interfaces. Lets say you have a DMZ server which is NATed to a public IP address towards the Internet and you also want to do this translation towards your LAN network then you could use the "any" parameter as the destination interface of the "nat" command.
Notice though that as long as there is no other overriding configurations present then this NAT configuration will perform NAT for the DMZ server towards ANY other interface configured on the ASA. If users behind some other interface need to access the server with the local IP address you will need additional NAT configurations to enable that or simply avoid using the above mentioned configurations and simply configure NAT for each interfaces required.
I agree that the situation is not ideal. But perhaps I am too used to handling ASAs for it to be a problem. I have always found that Cisco products are not the most user friendly devices, even with GUI. Then again I don't have much expirience from other vendors so I dont really know how they handle similiar situations.
I have personally used CLI to configure PIX/ASA/FWSM from the start and I find that the learning process has always been trial&error in some situations. There is always something that is not either mentioned in the documentation or its not clearly stated. This is especially true with both the old and new NAT configurations. You really need to know how it behaves to avoid making configurations changes that can affect already existing configurations.
I think Cisco could even benefit from adding a completely separate section in their ASA Configuration Guide just to state the different common scenarios where 2 different NAT configurations might cause a conflict or simply adding a new NAT configuration might break part of the traffic flow through the firewall even though the added configuration might be otherwise valid.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :