Options
ASA NAT command explanation?
Robbo777
Member Posts: 331 ■■■□□□□□□□
Hi can someone run through this command with me, i'm well versed in what NAT is etc... Its the actual command i'm interested in:
ASA1(config)# object network LAN ASA1
(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config)# object network VPN_POOL
ASA1(config-network-object)# subnet 192.168.10.0 255.255.255.0
ASA1(config)# nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN_POOL VPN_POOL
I'm assuming it's a NAT exemption rule used to stop the translation of VPN remote access traffic back out the ASA outside interface. What i'm trying to wrap my head around is the actual layout of the command.
This is what i see it as.... If i receive an address from the LAN subnet on the inside interface then translate it (or don't) going out the outside interface.
Why is the "LAN" object inserted twice along with VPN_POOL?
Why is the source "static" as opposed to dynamic?
It doesn't look like any "denying" is done anywhere, so why arent the addresses translated.
Cheers, the NAT command on the ASA has always confused me
This is NAT 8.3 and above by the way
ASA1(config)# object network LAN ASA1
(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config)# object network VPN_POOL
ASA1(config-network-object)# subnet 192.168.10.0 255.255.255.0
ASA1(config)# nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN_POOL VPN_POOL
I'm assuming it's a NAT exemption rule used to stop the translation of VPN remote access traffic back out the ASA outside interface. What i'm trying to wrap my head around is the actual layout of the command.
This is what i see it as.... If i receive an address from the LAN subnet on the inside interface then translate it (or don't) going out the outside interface.
Why is the "LAN" object inserted twice along with VPN_POOL?
Why is the source "static" as opposed to dynamic?
It doesn't look like any "denying" is done anywhere, so why arent the addresses translated.
Cheers, the NAT command on the ASA has always confused me
This is NAT 8.3 and above by the way
Comments
-
Options
txraider09
Member Posts: 69 ■■□□□□□□□□
This is a “No NAT” statement. The way that it’s written, it is going from Inside to Outside. The reason the objects are inserted twice is because you are not translating the address. So it’s basically saying from LAN to VPN_POOL, translate it to make it look like from LAN to VPN_POOL. Hence the “No Nat”