You cant add destination in the auto nat. Use manual nat and specify the destination.
Samarth Chidanand Vice President of Technical Training - IPexpert India Inc CCIE #18535 (R&S, Security) CCSI #34585 From: [email protected] [mailto:[email protected]] On Behalf Of Joe Astorino Sent: Wednesday, June 19, 2013 2:25 AM To: Anthony Sequeira Cc: OSL Security Subject: Re: [OSL | CCIE_Security] ASA 8.4 dynamic PAT I actually ran into this because I have a situation with an ASA that has 2 different ISP connections. I need to PAT most traffic out one interface and PAT traffic destined to a specific other internet destination out another interface. I found out that under the network object configuration you can only have a single auto NAT rule. So, how is this usually done? I can think of 2 ways 1) Auto NAT - You create two different network objects that define everything, like this object network obj-any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) source dynamic interface ! object network obj-any2 subnet 0.0.0.0 0.0.0.0 nat (inside,outside2) source dynamic interface 2) Manual NAT - Just create two rules nat (inside,outside) source dynamic any interface nat (inside,outside2) source dynamic any interface Thoughts? On Tue, Jun 18, 2013 at 2:49 PM, Joe Astorino <[email protected]> wrote: Thanks all - Anthony yes yes...I've been putting off 8.3 + NAT for too long! Sent from my iPhone On Jun 18, 2013, at 1:25 PM, Anthony Sequeira <[email protected]> wrote: Look on the bright side Joe - in the new exam - you will most likely get to enjoy both versions. :-\ From: Piotr Kaluzny <[email protected]> Date: Tuesday, June 18, 2013 12:45 PM To: joeastorino1982 <[email protected]> Cc: "[email protected] | CCIE security" <[email protected]> Subject: Re: [OSL | CCIE_Security] ASA 8.4 dynamic PAT Joe Auto-NAT is for simple source translations and/or redirection. Manual NAT is what you have to use when you want to add some policy/conditions to the equation, like when you want to only translate packets going to a particular destination Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Technical Instructor - IPexpert, Inc. URL: <http://www.IPexpert.com> http://www.IPexpert.com On Tue, Jun 18, 2013 at 6:13 PM, Joe Astorino <[email protected]> wrote: Hi guys, Just starting down the road of the new ASA NAT. I have a simple question. I see there are 2 ways you can do dynamic PAT 1) Auto NAT object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface 2) Manual NAT nat (inside,outside) source dynamic any interface Any preference as to which one and why? Most examples I see are referencing the auto NAT method for this purpose. I know manual NAT is ahead of auto NAT from a precedence stand point, just wondering why one might use one or the other? Sigh...I miss the old way -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
