RE: ASA 8.3 NAT question

On Tue, Sep 18, 2012 at 14:09:50, marc abel wrote:
> Subject: OT: ASA 8.3 NAT question
>
> Sorry for the OT but I am banging my head in the documentation.
>
> In ASA 8.3 and later is it possible to use object-groups to do standard PAT?
> The documentation seems to make it seem so but I can't find any examples.
> The examples all just use plain Objects (not object-groups). When I
> try a similar syntax under Object groups I don't see the same options.
>

hostname(config)# object network nat-range1
hostname(config-network-object)# range 10.10.10.10 10.10.10.20
hostname(config-network-object)# object network pat-ip1
hostname(config-network-object)# host 10.10.10.21
hostname(config-network-object)# object-group network nat-pat-grp
hostname(config-network-object)# network-object object nat-range1
hostname(config-network-object)# network-object object pat-ip1
hostname(config-network-object)# object network outbound_NAT
hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface

equivalent to

access-list outbound-nat permit ip 10.76.11.0 255.255.255.0 any
nat (inside) 10 access-list outbound-nat
global (outside) 10 10.10.10.10-10.10.10.20 <- one to one range
global (outside) 10 10.10.10.21 <- PAT
global (outside) 10 interface <- exhaustion pool after 65535 xlates

>
> ASA(config-network-object)# nat ?
>
> network-object mode commands/options:
> ( Open parenthesis for (<real_if_name>,<mapped_if_name>) pair
> where
> <real_if_name> is the prenat interface and <mapped_if_name> is the
> postnat interface
> dynamic Specify NAT type as dynamic
> static Specify NAT type as static
>
>
> ASA(config-network-object-group)# nat ?
>
> configure mode commands/options:
> ( Open parenthesis for
> (<internal_if_name>,<external_if_name>)
> pair where <internal_if_name> is the Internal or prenat
> interface and <external_if_name> is the External or postnat
> interface
> <1-2147483647> Position of NAT rule within before auto section
> after-auto Insert NAT rule after auto section
> source Source NAT parameters
>
>
>
> What I am trying to do is PAT a bunch of different subnets into the
> same external IP without having to create an object for each individual subnet.
> The subnets aren't contiguous so I can't just use a bigger mask or a range.
>

Use an object-group for this and do twice NAT with dynamic.

Object-group network nat-alot-of-stuff
  Network-object 10.10.10.0 255.255.255.0
Network-object 10.10.20.0 255.255.255.0

nat (inside,outside) source dynamic nat-alot-of-stuff interface

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 20 2012 - 13:34:58 ART