Re: NAT question on ASA 8.3 or above from Myung-Soo Ko on 2013-08-02 (Ccielab archives 08/2013)

From: Myung-Soo Ko <bacchus21_at_gmail.com>
Date: Fri, 2 Aug 2013 13:14:21 +0900

I put the dynamic static NAT first and object NAT configuration next. It
seems the first dynamic static NAT works, but the seconds object NAT
doesn't work. Any clue? I put the configuration as examples to check
whether the configuration itself is grammatically OK or not.

===========================================================
object-group network CLIENTS_REAL
network-object 172.16.0.0 255.255.0.0

nat (inside,outside) source dynamic CLIENTS_REAL interface
===========================================================

=====================================================================
Old(pre 8.3): static (outside,inside) 10.1.1.1 192.168.1.1 netmask
255.255.255.255

New(8.3): object network obj-192.168.1.1
host 192.168.1.1
nat(outside, inside) static 10.1.1.1
=====================================================================

Regards,
MS

On Thu, Aug 1, 2013 at 2:24 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:

> The "manual nat" is also called "twice nat". The "auto nat" is also
> called "object nat". With your config you're trying to do object NAT. If
> you look at the "show nat" output it'll tell you the order in which your
> statements are processed. Also if you use packet-tracer it'll tell you
> what the full result of the flow is, and whether or not the translation
> happened correctly.
>
> Which is your private address you're trying to come from and what's the
> public address you're trying to translate to? If I'm reading your
> statements correctly then you have the order backwards in your config.
>
> Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Henrique Reis
> Sent: Wednesday, July 31, 2013 9:31 AM
> To: Myung-Soo Ko
> Cc: Marc La Porte; Ryan West; Sadiq Yakasai; Cisco certification
> Subject: Re: NAT question on ASA 8.3 or above
>
> Myung,
>
> On version pos 8.3 the NAT id divided in the 3 sections and each section
> have your priority over the other.
>
> Bellow are the sections:
>
> Manual NAT Policies (Section 1)
> Auto NAT Policies (Section 2)
> Manual NAT [with command "after auto"] Policies (Section 3)
>
> Please see if you don$B!-(Bt have any manual NAT.
>
> Thanks,
> Henrique Reis
>
>
> On Wed, Jul 31, 2013 at 11:06 AM, Myung-Soo Ko <bacchus21_at_gmail.com>
> wrote:
>
> > Hello, all
> >
> > Thank you so much for the replies.
> >
> > I don't have any other NAT statements. If you say the order could be
> > important, which one should come first? Please advise.
> >
> > Regards,
> > ----------------------------------------------
> > "An open mind opens doors."
> > $BL4$O?.$8$F$$$l$PI,$:3p$&!*!*!*(B
> > Myung-Soo Ko ($B9b(B $BL@^,(B)
> >
> >
> > On Wed, Jul 31, 2013 at 10:56 PM, Marc La Porte
> > <marc.a.laporte_at_gmail.com
> > >wrote:
> >
> > > Do you have other types of NAT statements, as then the order could
> > > be important
> > >
> > > On Wed, Jul 31, 2013 at 2:51 PM, Ryan West <rwest_at_zyedge.com> wrote:
> > >
> > >> Probably have a dynamic nat before your static. Does it work for
> > inbound,
> > >> but not outbound?
> > >>
> > >> Sent from handheld.
> > >>
> > >> On Jul 31, 2013, at 8:31 AM, "Sadiq Yakasai" <sadiqtanko_at_gmail.com>
> > >> wrote:
> > >>
> > >> > Hi Myung-Soo,
> > >> >
> > >> > Your config looks good to me. See below a similar one I tested
> > >> > some
> > time
> > >> > back.
> > >> >
> > >> > Perhaps something else on the configuration is interfering here?
> > >> > Can
> > we
> > >> see
> > >> > full configuration?
> > >> >
> > >> > HTH,
> > >> > Sadiq
> > >> >
> > >> > ASA5585(config)#
> > >> > ASA5585(config)#
> > >> > ASA5585(config)# sh run obje
> > >> > ASA5585(config)# sh run object
> > >> > object network NATTED_SUBNET
> > >> > subnet 10.82.6.128 255.255.255.192 object network INSIDE_SUBNET
> > >> > subnet 10.82.6.0 255.255.255.192 ASA5585(config)#
> > >> > ASA5585(config)# ASA5585(config)# ASA5585(config)#
> > >> > ASA5585(config)# sh run nat !
> > >> > object network INSIDE_SUBNET
> > >> > nat (inside,outside) static NATTED_SUBNET ASA5585(config)#
> > >> > ASA5585(config)# ASA5585(config)# ASA5585(config)# sh nat
> > >> >
> > >> > Auto NAT Policies (Section 2)
> > >> > 1 (inside) to (outside) source static INSIDE_SUBNET NATTED_SUBNET
> > >> > translate_hits = 2804, untranslate_hits = 2785
> > >> > ASA5585(config)# ASA5585(config)# ASA5585(config)# sh ver
> > >> >
> > >> > Cisco Adaptive Security Appliance Software Version 8.4(2)11
> > >> > Device Manager Version 6.3(5)
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On Wed, Jul 31, 2013 at 11:08 AM, Myung-Soo Ko
> > >> > <bacchus21_at_gmail.com>
> > >> wrote:
> > >> >
> > >> >> Hello, Group
> > >> >>
> > >> >> I'm currently working on NAT configuration on ASA 8.3, but my
> > >> >> old configuration didn't work on newer version.
> > >> >>
> > >> >> I checked configuration guide and modified the following static
> > >> >> NAT configuration.
> > >> >> ================================================================
> > >> >> ===== Old(pre 8.3): static (outside,inside) 10.1.1.1 192.168.1.1
> > >> >> netmask
> > >> >> 255.255.255.255
> > >> >>
> > >> >> New(8.3): object network obj-192.168.1.1
> > >> >> host 192.168.1.1
> > >> >> nat(outside, inside) static 10.1.1.1
> > >> >> ================================================================
> > >> >> ===== I think it's correct configuration, but it didn't work
> > >> >> properly. Any correction? Please advise.
> > >> >>
> > >> >>
> > >> >> I have another configuration need to be checked. Please refer to
> > >> >> the following.
> > >> >> ===========================================================
> > >> >> object-group network CLIENTS_REAL network-object 172.16.0.0
> > >> >> 255.255.0.0
> > >> >>
> > >> >> nat (inside,outside) source dynamic CLIENTS_REAL interface
> > >> >> ===========================================================
> > >> >> In this case, I think configuration should remain the same on
> > >> >> pre 8.3
> > >> and
> > >> >> 8.3. Any opinion??
> > >> >>
> > >> >> It would be greatly appreciated if anyone can give me some advice.
> > >> >>
> > >> >> Regards,
> > >> >> ----------------------------------------------
> > >> >> "An open mind opens doors."
> > >> >> $BL4$O?.$8$F$$$l$PI,$:3p$&!*!*!*(B
> > >> >> Myung-Soo Ko ($B9b(B $BL@^,(B)
> > >> >>
> > >> >>
> > >> >> Blogs and organic groups at http://www.ccie.net
> > >> >>
> > >> >>
> > ______________________________________________________________________
> > _
> > >> >> Subscription information may be found at:
> > >> >> http://www.groupstudy.com/list/CCIELab.html
> > >> >
> > >> >
> > >> > --
> > >> > CCIEx2 (R&S|Sec) #19963
> > >> >
> > >> >
> > >> > Blogs and organic groups at http://www.ccie.net
> > >> >
> > >> >
> > ______________________________________________________________________
> > _
> > >> > Subscription information may be found at:
> > >> > http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >> ___________________________________________________________________
> > >> ____ Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Aug 02 2013 - 13:14:21 ART

This archive was generated by hypermail 2.2.0 : Sun Sep 01 2013 - 08:35:50 ART