Re: ASA 8.3 NAT question from Jay McMickle on 2012-09-21 (Ccielab archives 09/2012)

From: Jay McMickle <jay.mcmickle_at_yahoo.com>
Date: Thu, 20 Sep 2012 20:14:49 -0700 (PDT)

Ryan beat me to it, but yes, I agree with Ryan.

8.3+ has been challenging to
learn, but we're coming around!

Regards,
Jay McMickle- 3x CCNP
(R&S,Security,Design), CCIE #35355 (R&S)

________________________________
From: Ryan West <rwest_at_zyedge.com>
To: marc abel <marcabel_at_gmail.com>; Cisco
certification <ccielab_at_groupstudy.com>
Sent: Thursday, September 20, 2012
7:34 AM
Subject: RE: ASA 8.3 NAT question

On Tue, Sep 18, 2012 at 14:09:50,
marc abel wrote:
> Subject: OT: ASA 8.3 NAT question
>
> Sorry for the OT but
I am banging my head in the documentation.
>
> In ASA 8.3 and later is it
possible to use object-groups to do standard PAT?
> The documentation seems to
make it seem so but I can't find any examples.
> The examples all just use
plain Objects (not object-groups). When I
> try a similar syntax under Object
groups I don't see the same options.
>

hostname(config)# object network
nat-range1
hostname(config-network-object)# range 10.10.10.10 10.10.10.20
hostname(config-network-object)# object network pat-ip1
hostname(config-network-object)# host 10.10.10.21
hostname(config-network-object)# object-group network nat-pat-grp
hostname(config-network-object)# network-object object nat-range1
hostname(config-network-object)# network-object object pat-ip1
hostname(config-network-object)# object network outbound_NAT
hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp
interface

equivalent to

access-list outbound-nat permit ip 10.76.11.0
255.255.255.0 any
nat (inside) 10 access-list outbound-nat
global (outside) 10
10.10.10.10-10.10.10.20 <- one to one range
global (outside) 10 10.10.10.21
<- PAT
global (outside) 10 interface <- exhaustion pool after 65535
xlates

>
> ASA(config-network-object)# nat ?
>
> network-object mode
commands/options:
> ( Open parenthesis for
(<real_if_name>,<mapped_if_name>) pair
> where
> <real_if_name> is
the prenat interface and <mapped_if_name> is the
> postnat
interface
> dynamic Specify NAT type as dynamic
> static Specify NAT
type as static
>
>
> ASA(config-network-object-group)# nat ?
>
> configure
mode commands/options:
> ( Open parenthesis for
>
(<internal_if_name>,<external_if_name>)
> pair where
<internal_if_name> is the Internal or prenat
> interface and
<external_if_name> is the External or postnat
> interface
>
<1-2147483647> Position of NAT rule within before auto section
>
after-auto Insert NAT rule after auto section
> source Source
NAT parameters
>
>
>
> What I am trying to do is PAT a bunch of different
subnets into the
> same external IP without having to create an object for
each individual subnet.
> The subnets aren't contiguous so I can't just use a
bigger mask or a range.
>

Use an object-group for this and do twice NAT with
dynamic.

Object-group network nat-alot-of-stuff
Network-object 10.10.10.0
255.255.255.0
Network-object 10.10.20.0 255.255.255.0

nat (inside,outside)
source dynamic nat-alot-of-stuff interface

-ryan

Blogs and organic groups
at http://www.ccie.net
Received on Thu Sep 20 2012 - 20:14:49 ART

This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART