Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
5
Replies

help with new NAT config

matthewatt
Level 1
Level 1

‎02-22-2012 08:52 AM - edited ‎03-11-2019 03:33 PM

I'm struggling to get my NAT working as I am upgrading from a PIX to an ASA running 8.4. I'm trying to duplicate the following that was taken from the PIX:

PIX NAT shown here:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

global (outside) 1 x.x.x.x

On the ASA, I did the following:

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

And then I added the command below and it overrode my first command

nat (inside,outside) dynamic x.x.x.x

I'm not quite sure how to get it to PAT to the interface, and also use a specific IP for a backup overload. In any case, I tried to remove the last nat that was applied and got this error:

FW(config)# no nat (inside,outside) dynamic x.x.x.x

no nat (inside,outside) dynamic x.x.x.x
                        ^
ERROR: % Invalid input detected at '^' marker.

I can't seem to remove this NAT. When I try to put my first NAT back in place, I get:

FW(config)# nat (inside,outside) dynamic interface
                                                         ^
ERROR: % Invalid input detected at '^' marker.

what am I doing wrong here? If I can't specify both and interface and an ip for the NAT, I can live with that. However, I prefer I use the interface rather than the specific ip if I can only use one. But I can't seem to get it removed. I don't dare use the "clear configure nat" command as I have a whole bunch of static NAT in place that I don't want to have to re-enter.

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-22-2012 09:56 AM

I believe your inability to use the "no..." command is because you are trying to remove an object NAT rule. You need to enter that command from within the network object configuration mode (as oppposed to the global mode). Reference

So go back into config mode, then enter the command "object network obj_any". You should have a prompt that looks something like:

     hostname(config-network-object)#

Then you should be able to do the "no nat... " command.

0 Helpful

matthewatt
Level 1
Level 1
In response to Marvin Rhoads

‎02-22-2012 10:14 AM

Thanks for that. I knew it had to be something simple I was missing!

Does anyone know if you can continue to put in a nat statement on the new code that will give me the same as the following does on a PIX?

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

global (outside) 1 x.x.x.x

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to matthewatt

‎02-22-2012 10:25 AM

Yes, You can

It will be

nat (inside,outside) source dynamic any interface

Regards,

Do rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

matthewatt
Level 1
Level 1
In response to Julio Carvajal

‎02-23-2012 05:52 AM

I don't understand how that gives me the ability to PAT to the interface as well as a separate IP address, defined as x.x.x.x in my example. As I don't see reference to an IP address in your example, how can your command be provding that?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to matthewatt

‎02-23-2012 01:21 PM

The examples I have seen usually specify using an address (or address range) for the dynamic NAT with the interface as a PAT fallback. See for example here.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card