Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT 8.6 multiple subnets in a single static NAT

Hello all, I have this question, probably pretty an easy to answer, but unfortunately I can't test it myself in a production environment right now.

Do you know if is possible to have in ASA 8.6 a Static NAT rule with multiple subnets in both object groups. I currently have one to one subnet translation, but I need to add another two subnets.

Today's configuration is this

*** FROM ONE SUBNET TO ANOTHER ***

object-group network REGIONAL-SOURCE

network-object 10.1.1.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.201.0 255.255.255.0

nat (Outside,Inside) after-auto source static REGIONAL-SOURCE REGIONAL-NAT dns

What I need to accomplish is add two new subnets, but I want to see if is possible to do it using the same NAT rule, just adding the new 2 subnets.

10.1.2.0/24 natted to 10.1.202.0 255.255.255.0

10.1.3.0/24 natted to 10.1.203.0 255.255.255.0

*** TWO MORE SUBNETS ARE NEEDED ***

object-group network REGIONAL-SOURCE

network-object 10.1.2.0 255.255.255.0

network-object 10.1.3.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.202.0 255.255.255.0

network-object 10.1.203.0 255.255.255.0

If this is not possible I understand separate objects should be created with individual nat, I appreciate your comments and help.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: NAT 8.6 multiple subnets in a single static NAT

Hi,

This should be no problem. It should work as you have thought.

I tested the configurations on my own ASA

object-group network REGIONAL-SOURCE

network-object 10.1.1.0 255.255.255.0

network-object 10.1.2.0 255.255.255.0

network-object 10.1.3.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.201.0 255.255.255.0

network-object 10.1.202.0 255.255.255.0

network-object 10.1.203.0 255.255.255.0

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Here at the results of the "packet-tracer" to show the translations

ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.1.100/12345 to 10.1.201.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.2.100/12345 to 10.1.202.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.3.100/12345 to 10.1.203.100/12345

As you can see, everything is fine

Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Super Bronze

NAT 8.6 multiple subnets in a single static NAT

Also,

Just wanted to point out that naturally my "nat" configuration is a bit different. Its a Section 1 Manual NAT while your example is a Section 3 Manual NAT. (Because of the "after-auto" parameter in the command)

So there is a chance that the new source networks being added to the "nat" command through the "object-group" might have some existing "nat" rules that might override this new addition. You can naturally use the "packet-tracer" command to confirm that after the additions everything is matching to the correct "nat" rule. If not then you can naturally move the "nat" rule to a bit higher priority if rest of the configuration permits it.

- Jouni

3 REPLIES
Super Bronze

Re: NAT 8.6 multiple subnets in a single static NAT

Hi,

This should be no problem. It should work as you have thought.

I tested the configurations on my own ASA

object-group network REGIONAL-SOURCE

network-object 10.1.1.0 255.255.255.0

network-object 10.1.2.0 255.255.255.0

network-object 10.1.3.0 255.255.255.0

object-group network REGIONAL-NAT

network-object 10.1.201.0 255.255.255.0

network-object 10.1.202.0 255.255.255.0

network-object 10.1.203.0 255.255.255.0

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Here at the results of the "packet-tracer" to show the translations

ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.1.100/12345 to 10.1.201.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.2.100/12345 to 10.1.202.100/12345

ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT

Additional Information:

Static translate 10.1.3.100/12345 to 10.1.203.100/12345

As you can see, everything is fine

Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

NAT 8.6 multiple subnets in a single static NAT

Hi Jouni,

Thank you for your answer, I have a maintainance window next week, I will definitly mark "Correct answer" by next Wednesday if everything work as expected. I much appreciate your help on this matter.

Super Bronze

NAT 8.6 multiple subnets in a single static NAT

Also,

Just wanted to point out that naturally my "nat" configuration is a bit different. Its a Section 1 Manual NAT while your example is a Section 3 Manual NAT. (Because of the "after-auto" parameter in the command)

So there is a chance that the new source networks being added to the "nat" command through the "object-group" might have some existing "nat" rules that might override this new addition. You can naturally use the "packet-tracer" command to confirm that after the additions everything is matching to the correct "nat" rule. If not then you can naturally move the "nat" rule to a bit higher priority if rest of the configuration permits it.

- Jouni

140
Views
0
Helpful
3
Replies
CreatePlease login to create content