Solved: Re: Object-Group

estelamathew · ‎12-25-2011

Hello Dears

I m grouping {object network} to one object group for the Dynamic PAT, But there is no option of dynamic after Nat (inside,outside)

ciscoasa(config)# sh run object-group

object-group network outside-interface

network-object object obj-20.20.20.0

network-object object obj-30-30-30-30

ciscoasa(config)# object-group network outside-interface

ciscoasa(config-network-object-group)# nat (inside,outside) ?

configure mode commands/options:

<1-2147483647> Position of NAT rule within before auto section

after-auto Insert NAT rule after auto section

source Source NAT parameters

Tx

Julio Carvajal · ‎12-26-2011

Hello Estela,

Good to hear from you.

Today while I was doing some labs recreations, I could confirm that now object-groups are supported for the nat statements as well as the ACLs.

Now I will response to your first question on this post.

Question1 :I m grouping {object network} to one object group for the Dynamic PAT, But there is no option of dynamic after Nat (inside,outside)

Answer 1: The correct syntax would be

-nat (inside,outside) source dynamic outside-interface interface

Question 2:

according to ur example what this command will do :

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

Answer 2:

This nat statement will nat with pat (dynamic) all the object network 1.1.1.1-host to the outside object network 2.2.2.2-host.

Hope this helps! any other question let me know,

Regards,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-25-2011

Hello Estela,

Object-groups will be used for the ACLs, on the nat you cannot use them, you can use object networks (host,subnet, or range of ip addresses) and object services(Protocol, port)

The syntax will be like this:

object network 1.1.1.1-host

host 1.1.1.1

object network 2.2.2.2-host

host 2.2.2.2

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

Please do rate helpful posts.

Kind regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

estelamathew · ‎12-25-2011

Hello Julio

according to ur example what this command will do :

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

And please find the attached file, Check the section { NAT & Interface PAT with additional PAT together}

i think somebody has share wrong information.

Tx

Julio Carvajal · ‎12-26-2011

Hello Estela,

Good to hear from you.

Today while I was doing some labs recreations, I could confirm that now object-groups are supported for the nat statements as well as the ACLs.

Now I will response to your first question on this post.

Question1 :I m grouping {object network} to one object group for the Dynamic PAT, But there is no option of dynamic after Nat (inside,outside)

Answer 1: The correct syntax would be

-nat (inside,outside) source dynamic outside-interface interface

Question 2:

according to ur example what this command will do :

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

Answer 2:

This nat statement will nat with pat (dynamic) all the object network 1.1.1.1-host to the outside object network 2.2.2.2-host.

Hope this helps! any other question let me know,

Regards,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC