Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Source NAT on ASA 9.1

Hi guys,

I'm trying to configure NAT on an ASA in the folowing way:

IN 192.168.1.1:443 <- 172.16.1.1:443 OUT - static PAT

IN 192.168.1.13:25 <- 172.16.1.1:25 OUT - static PAT

IN 192.168.1.1, 1.13 -> 172.16.1.1 OUT

IN 192.168.1.0/24 -> 172.16.1.2 OUT - dynamic PAT

how can I map only the 192.168.1.1 and 1.13 to the external ip 172.16.1.1 when they send traffic out?

everything else should go out with 172.16.1.2.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Source NAT on ASA 9.1

Hi,

If I understood you correctly you want to do the following

  • Configure 2 Static PAT configurations for SMTP and HTTPS
  • Configure a Dynamic PAT for outbound traffic for the 2 Static PAT hosts
  • Configure a default Dynamic PAT rule for all other outbound traffic

I think the following should accomplish this

STATIC PAT

object network STATIC-PAT-HTTPS

host 192.168.1.1

nat (inside,outside) static 172.16.1.1 service tcp https https

object network STATIC-PAT-SMTP

host 192.168.1.13

nat (inside,outside) static 172.16.1.1 service tcp smtp smtp

SERVER DYNAMIC PAT

object-group network SERVERS-PAT-SOURCE

network-object host 192.168.1.1

network-object host 192.168.1.13

object network SERVER-PAT

host 172.16.1.1

nat (inside,outside) after-auto 1 source dynamic SERVERS-PAT-SOURCE SERVER-PAT

DEFAULT DYNAMIC PAT

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

object network DEFAULT-PAT

host 172.16.1.2

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE DEFAULT-PAT

Naturally the above presumes you have no other conflicting NAT configurations that might interfere with the operation of these configurations.

Notice that the Dynamic PAT configuration for the 2 server IP addresses has an added order/line number "1". This makes sure that the rule is hit first in the Section 3 of NAT rules. Naturally there is still possibility that the NAT could be overriden depending on your existing configurations

Notice also that we dont add any such order/line number in the other Dynamic PAT configurations that is meant for all the other outbound traffic. This means that the NAT rule is added at the bottom of the existing NAT rules in Section 3.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

5 REPLIES
Super Bronze

Re: Source NAT on ASA 9.1

Hi,

If I understood you correctly you want to do the following

  • Configure 2 Static PAT configurations for SMTP and HTTPS
  • Configure a Dynamic PAT for outbound traffic for the 2 Static PAT hosts
  • Configure a default Dynamic PAT rule for all other outbound traffic

I think the following should accomplish this

STATIC PAT

object network STATIC-PAT-HTTPS

host 192.168.1.1

nat (inside,outside) static 172.16.1.1 service tcp https https

object network STATIC-PAT-SMTP

host 192.168.1.13

nat (inside,outside) static 172.16.1.1 service tcp smtp smtp

SERVER DYNAMIC PAT

object-group network SERVERS-PAT-SOURCE

network-object host 192.168.1.1

network-object host 192.168.1.13

object network SERVER-PAT

host 172.16.1.1

nat (inside,outside) after-auto 1 source dynamic SERVERS-PAT-SOURCE SERVER-PAT

DEFAULT DYNAMIC PAT

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.1.0 255.255.255.0

object network DEFAULT-PAT

host 172.16.1.2

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE DEFAULT-PAT

Naturally the above presumes you have no other conflicting NAT configurations that might interfere with the operation of these configurations.

Notice that the Dynamic PAT configuration for the 2 server IP addresses has an added order/line number "1". This makes sure that the rule is hit first in the Section 3 of NAT rules. Naturally there is still possibility that the NAT could be overriden depending on your existing configurations

Notice also that we dont add any such order/line number in the other Dynamic PAT configurations that is meant for all the other outbound traffic. This means that the NAT rule is added at the bottom of the existing NAT rules in Section 3.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

Source NAT on ASA 9.1

Hi Jouni,

thanks for the reply.

it works great.

Thanks.

New Member

Re: Source NAT on ASA 9.1

Hi Jouni,

short question.

how can I integrate the NAT exemption rules for VPN traffic?

if I run a packet tracer, with the regular NAT exemption and the section 3 rules, the packet will be dropped.

eg: nat (inside,outside) source static LAN LAN destination static VPN VPN -> this will end up in Section 1/Manual NAT and will not be matched.

LAN: 192.168.1.0

Thanks.

Super Bronze

Source NAT on ASA 9.1

Hi,

I am not quite sure I follow you.

Are you saying that you have some NAT Exempt rule for VPN traffic and its not getting matched at all?

Could you share the "packet-tracer" command you used and the NAT Exempt configuration with the object configurations included.

- Jouni

New Member

Source NAT on ASA 9.1

my bad .

previously I modified the object to another range.

it works as expected.

Thanks again.

208
Views
0
Helpful
5
Replies