ASA Dynamic Policy NAT and PAT

On ASA2, SG
includes "destination" on twice nat with "object network
ANY_DESTINATION" as shown below:



object network ANY_DESTINATION

 subnet 0.0.0.0 0.0.0.0



nat (VLAN19,any) source dynamic VLAN19_REAL VLAN19_TELNET_MAPPED destination static ANY_DESTINATION
ANY_DESTINATION
service TELNET TELNET

nat
(VLAN19,any) source dynamic VLAN19_REAL VLAN19_HTTP_MAPPED destination static ANY_DESTINATION ANY_DESTINATION service HTTP
HTTP



My solution, since we don't care about the destination, I skipped the
"destination" as shown below, it seems working fine, is it a valid
solution?



nat (VLAN19,any) source dynamic VLAN19_REAL VLAN19_HTTP_MAPPED service TELNET
TELNET

nat
(VLAN19,any) source dynamic VLAN19_REAL VLAN19_HTTP_MAPPED service HTTP HTTP



In addition, can I use “nat (VLAN19,any) source dynamic R1_LO1_REAL interface” to cover below two
statements as shown in SG?  Will this
make any difference?

 

nat (VLAN19,VLAN26) source dynamic R1_LO1_REAL interface

nat (VLAN19,VLAN29) source dynamic R1_LO1_REAL interface

 

Thanks

 

Comments

  • Hi,

        Based on the task requirements, specifying the destination on twice-nt rule is optional, so yes it works with your configuration as well. When configuring PAT into the ASA interface you can't use the "any" keyword as the exit interface.

    Regards,

    Cristian.

Sign In or Register to comment.