Solved: ASA post ver8.2 Static NAT & Name Command

jfwarren1 · ‎02-12-2014

Hello, pre 8.3 I would use the Name Command and static map a public IP to a private IP as follows:

name 12.236.93.72 InsideHost

static (inside,outside) InsideHost 10.11.10.1 netmask 255.255.255.255

Post ver8.2 I realize that command has changed to the object network command but does not work with the name. I recieve the following error:

name 12.236.93.72 InsideHost

object network obj-10.11.10.1

host 10.11.10.1

nat (inside,outside) static InsideHost

ERROR: InsideHost Dosn't Exist

I cannot find the Name Command in the newer post8.2 documentation.

Jouni Forss · ‎02-12-2014

Hi,

Its my understanding that the "name" configuration doesnt really play much of a role in the new ASA software levels and the "object" has atleast partially replaced that.

Do notice that you can create an "object" for the IP address 12.236.93.72

object network Insidehost

host 12.236.93.72

object network obj-10.11.10.1

host 10.11.10.1

nat (inside,outside) static Insidehost

But to be honest I have never liked the "name" configuration and have always disabled it on the ASAs I manage. When I am troubleshooting something or making new rules I want to do it based on the actual IP rather than a "name" but I guess its matter of taste/personal preference.

Also I dont use the above method either. I simply define the IP address in the section where you define the NAT IP address. This keeps the configuration clearer and less cluttered with "object" or "object-group"

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎02-12-2014

Hi,

Its my understanding that the "name" configuration doesnt really play much of a role in the new ASA software levels and the "object" has atleast partially replaced that.

Do notice that you can create an "object" for the IP address 12.236.93.72

object network Insidehost

host 12.236.93.72

object network obj-10.11.10.1

host 10.11.10.1

nat (inside,outside) static Insidehost

But to be honest I have never liked the "name" configuration and have always disabled it on the ASAs I manage. When I am troubleshooting something or making new rules I want to do it based on the actual IP rather than a "name" but I guess its matter of taste/personal preference.

Also I dont use the above method either. I simply define the IP address in the section where you define the NAT IP address. This keeps the configuration clearer and less cluttered with "object" or "object-group"

Hope this helps

- Jouni

Jouni Forss · ‎02-12-2014

Hi,

This is from the Command Reference the thing I referenced above

This is the change introduced when the NAT configuration format changed at 8.3(1)

8.3(1) You can no longer use a named IP address in a nat command or an access-list

command; you must use object network names instead. Although

network-object commands in an object group accept object network

names, you can still also use a named IP address identified by the name

command.

- Jouni

jfwarren1 · ‎02-12-2014

Thanks so much!!!

Jouni Forss · ‎02-12-2014

Hi,

Glad if it helped

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

mvsheik123 · ‎02-12-2014

Hi,

Post 8.2 (8.3 and above) 'name' command changed to 'object network'. So you need to create another object network similar to your private ip.

EX:

object network public-10.11.10.1

host 12.236.93.72

object network obj-10.11.10.1

host 10.11.10.1

nat (inside,outside) static public-10.11.10.1

Check the below link (search for key word 'name')

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html#wp106866

hth

MS