Last Updated on August 3, 2021 by Admin 3
Refer to the exhibit.
You want to use network object NAT to configure the ASA to perform PAT on traffic that originates from the 192.168.13.0/24 network attached to the INSIDE interface and that is destined to any networks connected to OUTSIDE interface.
Which of the following blocks of commands should you issue to achieve your goal? (Select the best answer.)
-
asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (INSIDE,OUTSIDE) dynamic interface
-
asa(config)#object network OUTSIDENetwork asa(confignetworkobject)#subnet 198.51.100.0 255.255.255.0 asa(confignetworkobject)#nat (any,INSIDE) dynamic interface
-
asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (OUTSIDE,INSIDE) dynamic interface
-
asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface
You should issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (INSIDE, OUTSIDE) dynamic interface
When the nat command is issued from network object configuration mode, it is referred to as the nat (object) command and it can be used to configure network object Network Address Translation (NAT) on the Cisco Adaptive Security Appliance (ASA). Network object NAT enables you to easily specify a mapping for the source address in a packet. The command block in this scenario configures a network object named INSIDENetwork, defines a subnet IP address and network mask for the INSIDENetwork object, and specifies that the real source IP address of packets from the INSIDE interface should be dynamically translated to the mapped IP address corresponding to the IP address assigned to the OUTSIDE interface. The effect of the translation on matching packets is illustrated by the following graphic:
The nat (object) command can be used to create a dynamic NAT rule which translates traffic for a particular network object. The abbreviated syntax to create a dynamic NAT rule with the nat (object) command is nat (real_interface,mapped_interface) dynamic {mapped_object | mapped_ host_IP | interface} [fallthrough_interface], where real_interface represents the source interface of the original packet and mapped_interfacerepresents the source interface of the translated packet. The source IP address of the original packet is based on the definition of the network object? in this scenario, the network object is a network subnet. The dynamic keyword is used to specify a dynamic NAT rule and the interface parameter is used to specify a Port Address Translation (PAT) rule. An optional fallthrough interface can be specified if dynamic NAT is configured to use a pool of addresses to ensure that translation continues even if every IP address in the pool has been assigned a translation.
Alternatively, you could use Adaptive Security Device Manager (ASDM) instead of the command line to configure the network object NAT rule in this scenario. You can create a network object rule in ASDM by accessing the Configuration > Firewall > NAT Rules pane, clicking the Add dropdown list, and selecting the Add “Network Object” NAT ruleoption to open the Add Network Object dialog box. The following sample Add Network Object dialog box corresponds to the block of commands in this scenario:
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface
The nat (any,OUTSIDE) dynamic interface command in this block of commands maps the source IP address of traffic that originates from the 192.168.13.0/24 subnet, from any interface, to the IP address assigned to the OUTSIDE interface. Although this block of commands would configure the ASA to perform the required translation for traffic originating from the INSIDE interface, it would also perform the translation for any traffic from the 192.168.13.0/24 subnet originating from any other interface. Because the scenario requires the translation to occur only for traffic originating from the INSIDE interface, you should not issue this block of commands.
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface
The nat (OUTSIDE, INSIDE) dynamic interface command maps the source IP address of traffic that originates from the 192.168.13.0/24 subnet, from only the OUTSIDE interface, to the IP address assigned to the INSIDE interface. Because the 192.168.13.0/24 network is directly connected to the INSIDE interface and not the OUTSIDE interface, this translation rule would not achieve the requirements of the scenario.
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0 asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface
This block of commands creates a network object that corresponds to the network directly connected to the OUTSIDE interface. The nat (any,INSIDE) dynamic interface command maps the source IP address of traffic that originates from the 198.51.100.0/24 subnet, from any interface, to the IP address assigned to the INSIDE interface.