Re: ASA 8.3 NAT question from marc abel on 2012-09-20 (Ccielab archives 09/2012)

From: marc abel <marcabel_at_gmail.com>
Date: Thu, 20 Sep 2012 15:19:59 -0500

Thank you Ryan. That is the conclusion I finally came to after banging my
head into a wall for half a day trying to do it as Object Nat.

On Thu, Sep 20, 2012 at 8:34 AM, Ryan West <rwest_at_zyedge.com> wrote:

> On Tue, Sep 18, 2012 at 14:09:50, marc abel wrote:
> > Subject: OT: ASA 8.3 NAT question
> >
> > Sorry for the OT but I am banging my head in the documentation.
> >
> > In ASA 8.3 and later is it possible to use object-groups to do standard
> PAT?
> > The documentation seems to make it seem so but I can't find any examples.
> > The examples all just use plain Objects (not object-groups). When I
> > try a similar syntax under Object groups I don't see the same options.
> >
>
> hostname(config)# object network nat-range1
> hostname(config-network-object)# range 10.10.10.10 10.10.10.20
> hostname(config-network-object)# object network pat-ip1
> hostname(config-network-object)# host 10.10.10.21
> hostname(config-network-object)# object-group network nat-pat-grp
> hostname(config-network-object)# network-object object nat-range1
> hostname(config-network-object)# network-object object pat-ip1
> hostname(config-network-object)# object network outbound_NAT
> hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0
> hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp
> interface
>
> equivalent to
>
> access-list outbound-nat permit ip 10.76.11.0 255.255.255.0 any
> nat (inside) 10 access-list outbound-nat
> global (outside) 10 10.10.10.10-10.10.10.20 <- one to one range
> global (outside) 10 10.10.10.21 <- PAT
> global (outside) 10 interface <- exhaustion pool after 65535 xlates
>
> >
> > ASA(config-network-object)# nat ?
> >
> > network-object mode commands/options:
> > ( Open parenthesis for (<real_if_name>,<mapped_if_name>) pair
> > where
> > <real_if_name> is the prenat interface and <mapped_if_name>
> is the
> > postnat interface
> > dynamic Specify NAT type as dynamic
> > static Specify NAT type as static
> >
> >
> > ASA(config-network-object-group)# nat ?
> >
> > configure mode commands/options:
> > ( Open parenthesis for
> > (<internal_if_name>,<external_if_name>)
> > pair where <internal_if_name> is the Internal or prenat
> > interface and <external_if_name> is the External or
> postnat
> > interface
> > <1-2147483647> Position of NAT rule within before auto section
> > after-auto Insert NAT rule after auto section
> > source Source NAT parameters
> >
> >
> >
> > What I am trying to do is PAT a bunch of different subnets into the
> > same external IP without having to create an object for each individual
> subnet.
> > The subnets aren't contiguous so I can't just use a bigger mask or a
> range.
> >
>
> Use an object-group for this and do twice NAT with dynamic.
>
> Object-group network nat-alot-of-stuff
> Network-object 10.10.10.0 255.255.255.0
> Network-object 10.10.20.0 255.255.255.0
>
> nat (inside,outside) source dynamic nat-alot-of-stuff interface
>
> -ryan
>

-- 
Marc Abel
CCIE #35470
(Routing and Switching)
Blogs and organic groups at http://www.ccie.net

Received on Thu Sep 20 2012 - 15:19:59 ART

This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART