Another run in with Cisco NAT ASA 8.3 >
Overview of Cisco NAT problem
I have recently been moving a service from some old ASAs to some nice shiny 5525s and had to translate old Cisco NAT to new Cisco NAT. One of my stumbling blocks was making sure a couple of specific hosts bound them selves to a particular IP outbound when a specific port is used. The old config used access lists to do it but I found it to be over complicated, so I looked into using object groups instead. Below is a diagram of what we want to achieve.
Turns out this was really simple.
Enter configuration mode:
Create objects for the hosts:
object network OBJ-192.168.0.71 host 192.168.0.71 object network OBJ-192.168.0.72 host 192.168.0 72 object network OBJ-192.168.100.100 host 192.168.100.100
Place the host objects inside an object group:
object-group network OBJ-9998-TCP-OUTBOUND network-object object OBJ-192.168.0.71 network-object object OBJ-192.168.0.72
Create the service object:
object service OBJ-9998-TCP service tcp destination eq 9998
Create the NAT rule:
nat (INSIDE,OUTSIDE) source static OBJ-9998-TCP-OUTBOUND OBJ-192.168.100.100 service OBJ-9998-TCP OBJ-9998-TCP
Finally the access list:
access-list INSIDE extended permit tcp object-group OBJ-9998-TCP-OUTBOUND any eq 9998
NB. I have just but a destination of any here for ease.
Don’t forget to save the running configuration:
end copy running-config startup-config