Refer to the exhibit.
You want to use network object NAT to configure the ASA to perform PAT on traffic that originates from the
192.168.13.0/24 network attached to the INSIDE interface and that is destined to any networks connected to
OUTSIDE interface.
Which of the following blocks of commands should you issue to achieve your goal? (Select the best answer.)
A.
asa(config)#object network INSIDENetworkasa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (INSIDE,OUTSIDE) dynamic interface
B.
asa(config)#object network OUTSIDENetwork
asa(confignetworkobject)#subnet 198.51.100.0 255.255.255.0
asa(confignetworkobject)#nat (any,INSIDE) dynamic interface
C.
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (OUTSIDE,INSIDE) dynamic interface
D.
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface
Explanation:
You should issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (INSIDE, OUTSIDE) dynamic interface
When the nat command is issued from network object configuration mode, it is referred to as the nat (object)
command and it can be used to configure network object Network Address Translation (NAT) on the Cisco
Adaptive Security Appliance (ASA). Network object NAT enables you to easily specify a mapping for the source
address in a packet. The command block in this scenario configures a network object named INSIDENetwork,
defines a subnet IP address and network mask for the INSIDENetwork object, and specifies that the real
source IP address of packets from the INSIDE interface should be dynamically translated to the mapped IP
address corresponding to the IP address assigned to the OUTSIDE interface. The effect of the translation on
matching packets is illustrated by the following graphic:
The nat (object) command can be used to create a dynamic NAT rule which translates traffic for a particular
network object. The abbreviated syntax to create a dynamic NAT rule with the nat (object) command is nat
(real_interface,mapped_interface) dynamic {mapped_object | mapped_ host_IP | interface}
[fallthrough_interface], where real_interface represents the source interface of the original packet and
mapped_interfacerepresents the source interface of the translated packet. The source IP address of the
original packet is based on the definition of the network object? in this scenario, the network object is a network
subnet. The dynamic keyword is used to specify a dynamic NAT rule and the interface parameter is used to
specify a Port Address Translation (PAT) rule. An optional fallthrough interface can be specified if dynamic NAT
is configured to use a pool of addresses to ensure that translation continues even if every IP address in the
pool has been assigned a translation.
Alternatively, you could use Adaptive Security Device Manager (ASDM) instead of the command line to
configure the network object NAT rule in this scenario. You can create a network object rule in ASDM by
accessing the Configuration > Firewall > NAT Rules pane, clicking the Add dropdown list, and selecting the Add
“Network Object” NAT ruleoption to open the Add Network Object dialog box. The following sample AddNetwork Object dialog box corresponds to the block of commands in this scenario:
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface
The nat (any,OUTSIDE) dynamic interface command in this block of commands maps the source IP address of
traffic that originates from the 192.168.13.0/24 subnet, from any interface, to the IP address assigned to the
OUTSIDE interface. Although this block of commands would configure the ASA to perform the required
translation for traffic originating from the INSIDE interface, it would also perform the translation for any traffic
from the 192.168.13.0/24 subnet originating from any other interface. Because the scenario requires the
translation to occur only for traffic originating from the INSIDE interface, you should not issue this block of
commands.
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface
The nat (OUTSIDE, INSIDE) dynamic interface command maps the source IP address of traffic that originates
from the 192.168.13.0/24 subnet, from only the OUTSIDE interface, to the IP address assigned to the INSIDE
interface. Because the 192.168.13.0/24 network is directly connected to the INSIDE interface and not the
OUTSIDE interface, this translation rule would not achieve the requirements of the scenario.
You should not issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface
This block of commands creates a network object that corresponds to the network directly connected to the
OUTSIDE interface. The nat (any,INSIDE) dynamic interface command maps the source IP address of traffic
that originates from the 198.51.100.0/24 subnet, from any interface, to the IP address assigned to the INSIDE
interface.Cisco: Configuring Network Object NAT: Configuring Dynamic PAT (Hide)
Cisco: Cisco ASA Series Command Reference: nat (object)
