Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Object-Group

Hello Dears

I m grouping {object network} to one object group for the Dynamic PAT, But there is no option of dynamic after Nat (inside,outside)

ciscoasa(config)# sh run object-group

object-group network outside-interface

network-object object obj-20.20.20.0

network-object object obj-30-30-30-30

ciscoasa(config)# object-group network outside-interface

ciscoasa(config-network-object-group)# nat (inside,outside) ?  

configure mode commands/options:

  <1-2147483647>  Position of NAT rule within before auto section

  after-auto      Insert NAT rule after auto section

  source          Source NAT parameters

Tx

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Object-Group

Hello Estela,

Good to hear from you.

Today while I was doing some labs recreations, I could confirm that now object-groups are supported for the nat statements as well as the ACLs.

Now I will response to your first question on this post.

Question1 :I m grouping {object network} to one object group for the Dynamic  PAT, But there is no option of dynamic after Nat (inside,outside)

Answer 1: The correct syntax would be

     -nat (inside,outside) source dynamic outside-interface interface

Question 2:

according to ur example what this command will do :

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

Answer 2:

This nat statement will nat with pat (dynamic) all the object network 1.1.1.1-host to the outside object network 2.2.2.2-host.

Hope this helps! any other question let me know,

Regards,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3 REPLIES

Object-Group

Hello Estela,

Object-groups will be used for the ACLs, on the nat you cannot use them, you can use object networks (host,subnet, or range of ip addresses) and object services(Protocol, port)

The syntax will be like this:

object network 1.1.1.1-host

host 1.1.1.1

object network 2.2.2.2-host

host 2.2.2.2

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

Please do rate helpful posts.

Kind regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Object-Group

Hello Julio

according to ur example what this command will do :

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

And please find the attached file, Check the section { NAT & Interface PAT with additional PAT together}

i think somebody has share wrong information.

Tx

Re: Object-Group

Hello Estela,

Good to hear from you.

Today while I was doing some labs recreations, I could confirm that now object-groups are supported for the nat statements as well as the ACLs.

Now I will response to your first question on this post.

Question1 :I m grouping {object network} to one object group for the Dynamic  PAT, But there is no option of dynamic after Nat (inside,outside)

Answer 1: The correct syntax would be

     -nat (inside,outside) source dynamic outside-interface interface

Question 2:

according to ur example what this command will do :

Nat (inside,outside) source dynamic 1.1.1.1-host 2.2.2.2-host

Answer 2:

This nat statement will nat with pat (dynamic) all the object network 1.1.1.1-host to the outside object network 2.2.2.2-host.

Hope this helps! any other question let me know,

Regards,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
477
Views
0
Helpful
3
Replies
CreatePlease login to create content