Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
3
Replies

NAT syntax in 8.3+ ASA

phanophish
Level 1
Level 1

‎10-28-2014 12:24 PM - edited ‎03-11-2019 10:00 PM

So i understand the basic syntax for NATing a single internal network to an outside interface for allowing internet access.  Something like below...

 

object network NAT_INSIDE_NETS
  subnet 10.0.0.0 255.255.255.0

object network NAT_INSIDE_NETS
  nat (inside,outside) dynamic interface

 

The problem arises if I have more than 1 non contiguous network that I would like to flow through the same interfaces.  The only way I can seem to find to allow more than one subnet to be specified for the command above is the "Range" command.  My issue is my internal networks are not in a nice clean range.

 

Ideally I would like something like this with a single object that manages the NAT for all of my internal networks....

object network NAT_INSIDE_NETS
  subnet 10.0.0.0 255.255.255.0

  subnet 10.0.1.0 255.255.255.0

  subnet 10.0.5.0 255.255.255.0

object network NAT_INSIDE_NETS
  nat (inside,outside) dynamic interface

 

Unfortunately the ASA only allows the single subnet to be specified as part of the object.

 

Is my only option to go to something like this, and have an independent object for each of my internal networks?

object network NAT_INSIDE_10.0.0.x
  subnet 10.0.0.0 255.255.255.0

object network NAT_INSIDE_10.0.0.x
  nat (inside,outside) dynamic interface

 

object network NAT_INSIDE_10.0.1.x
  subnet 10.0.1.0 255.255.255.0

object network NAT_INSIDE_10.0.1.x
  nat (inside,outside) dynamic interface

 

object network NAT_INSIDE_10.0.5.x
  subnet 10.0.5.0 255.255.255.0

object network NAT_INSIDE_10.0.5.x
  nat (inside,outside) dynamic interface

 

I'm hoping i'm missing something and there is a better way to handle the multiple inside networks I have behind a single named interface.

 

 

 

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎10-28-2014 12:37 PM

Hi,

 

The solution in your case would be to use an "object-group network" to handle defining the source addresses/subnets for your Dynamic PAT configuration as (as you state) the "object network" can only contain a single host/subnet/range.

 

That being said, this would also mean that you would be using a different NAT configuration format. What I mean by this is that the above NAT configurations that you list are Auto NAT / Network Object NAT.

 

The other type of NAT in the new software is Manual NAT and this is what I would suggest to make your Dynamic PAT more compact.

 

So lets say you have 3 internal LAN subnets and want to do Dynamic PAT for them then you could use this configuration

 

object-group network LAN-SUBNETS
 network-object 10.10.10.0 255.255.255.0
 network-object 10.10.20.0 255.255.255.0
 network-object 10.10.30.0 255.255.255.0

 

nat (inside,outside) after-auto source dynamic LAN-SUBNETS interface

 

Notice that in the above configuration the "nat" command IS NOT located under the "object-group". It simply uses the created "object-group" as its parameter. You wont be able to configure any "nat" commands under the "object-group".

 

Lets take another situation. Lets say in addition to the 3 LAN subnets behind "inside" interface you also have a couple of DMZ interfaces and perhaps some other server subnet all behind their own interface and you want to configure Dynamic PAT using the same public IP address for all of these without resorting to too much configurations. Then you could use this configuration

 

object-group network LAN-SUBNETS
 network-object 10.10.10.0 255.255.255.0
 network-object 10.10.20.0 255.255.255.0
 network-object 10.10.30.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 172.16.1.0 255.255.255.0

 

nat (any,outside) after-auto source dynamic LAN-SUBNETS interface

 

The above configuration itself is not much different from the first example but as you can see we have changed the source interface as "any". This means that the ASA will accept any source interface when matching against this Dynamic PAT configuration. The "object-group" we use in the configuration will define which source addresses are actually matched in this configuration.

 

So as you can see we can handle Dynamic PAT for all the internal subnets with a single "nat" command.

 

Hope this helps :)

 

- Jouni

 

 

 

 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-28-2014 12:41 PM

Also just to add,

 

If you want to read some about the new NAT configuration format you could take a look at document I wrote in 2013. You can find it here

 

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Granted I never did finish it to the state that I liked to see it in. Maybe some day :)

 

- Jouni

0 Helpful

rc001g0241
Level 1
Level 1
In response to Jouni Forss

‎01-07-2015 10:11 AM

Would this also work for NAT exemptions? This is for the purpose of communication of internal/dmz networks via L2L tunnel.

object-group network REMOTE-SUBNETS
 network-object 172.16.10.0 255.255.255.0

 network-object 172.16.20.0 255.255.255.0

nat (any,outside) source static LAN-SUBNETS LAN-SUBNETS destination static REMOTE-SUBNETS REMOTE-SUBNETS

 

Thank you,

V

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card