Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

dynamic NAT for 2 interface with ASA 8.4(2)

Go to solution
Wilco Fong
Level 1
Level 1

‎05-14-2014 06:54 AM - edited ‎03-11-2019 09:12 PM

I have ASA 5510 with 8.4(2) version.

I need help to create 2 dynamic NAT for 2 interface. Here is what I have.

Outside interface

Inside interface

DMZ interface

backup interface

Here is my nat

object network DMZ-10.1.8.0_24
 nat (dmz,outside) dynamic interface
object network INSIDE-10.1.7.0_24
 nat (inside,outside) dynamic interface

I want to add additional NAT like

"object network INSIDE-10.1.7.0_24
 nat (inside,backup) dynamic interface"

But it does not allow me to add, once I add, it removes "nat (inside,outside) dynamic interface". My goal is to achieve inside network and dmz network to translate backup network interface without affecting current outside NAT. backup interface is private network which connect to different network with other untrusted connections connect to that network. Thanks in advance for your advice.

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
guibarati
Level 4
Level 4

‎05-14-2014 10:28 AM

You need to create another object, with the same IP address and use this new object for nat. Exemple

 

INSIDE-10.1.7.0_24-2

subnet 10.1.7.0 255.255.255.0

nat (inside,backup) dynamic interface

Also if the backup interface has the same security level of the inside interface you need to allow the traffic explicitly because it's denied by default. Use the command

 

same-security-traffic permit inter-interface

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Colin Higgins
Level 2
Level 2

‎05-14-2014 07:12 AM

OK, dumb question, but does the backup interface have an IP address and security level assigned?

0 Helpful

Go to solution
Wilco Fong
Level 1
Level 1
In response to Colin Higgins

‎05-14-2014 08:30 AM

Hi Colin,

Thanks for your reply. Yes backup interface has same security level as outside and it has ip assigned.

0 Helpful

Go to solution
guibarati
Level 4
Level 4

‎05-14-2014 10:28 AM

You need to create another object, with the same IP address and use this new object for nat. Exemple

 

INSIDE-10.1.7.0_24-2

subnet 10.1.7.0 255.255.255.0

nat (inside,backup) dynamic interface

Also if the backup interface has the same security level of the inside interface you need to allow the traffic explicitly because it's denied by default. Use the command

 

same-security-traffic permit inter-interface

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card