NATObject Config

subnet [ip] [mask]

Defines a subnet object for use in NAT rules on Cisco ASA Firewall.

Overview

The 'subnet' command in Cisco ASA Firewall is used within network object configuration mode to define a subnet object. A network object is a container that holds an IP address, subnet, range, or host. The 'subnet' keyword specifies that the object represents a network with a given IP address and netmask. This object can then be referenced in NAT rules, access-lists, and other features. The concept behind subnet objects is to simplify configuration by allowing reuse of network definitions. For example, instead of typing the subnet multiple times in NAT rules, you define it once as an object and refer to it by name. This reduces errors and makes changes easier. On Cisco ASA, network objects are fundamental to policy configuration. They are used in both dynamic and static NAT, as well as in object groups for grouping multiple networks. When to use 'subnet'? Whenever you need to represent a contiguous block of IP addresses with a specific mask, such as a LAN subnet or a DMZ network. It is particularly useful in NAT scenarios where you translate an entire internal subnet to a single external IP or pool. In troubleshooting workflows, verifying subnet objects ensures that NAT rules apply to the correct address space. Misconfigured subnet objects can lead to traffic not being translated or being translated incorrectly. The command is straightforward but critical for proper network address translation.

Syntax·Object Config
subnet ip_address netmask

When to Use This Command

  • Create a network object for a private subnet to be translated to a public IP pool.
  • Define a subnet for policy-based NAT exemptions.
  • Group multiple subnets into a network object group for simplified rule management.
  • Specify a subnet for destination NAT when mapping external IPs to internal servers.

Parameters

ParameterSyntaxDescription
ip_addressA.B.C.DThe network address of the subnet. Must be the network address (e.g., 192.168.1.0), not a host address.
netmaskA.B.C.DThe subnet mask in dotted decimal format (e.g., 255.255.255.0 for /24).

Command Examples

Define a subnet object for internal network

subnet 192.168.1.0 255.255.255.0

Creates a network object representing the 192.168.1.0/24 subnet. No output is displayed upon successful entry.

Define a subnet object for DMZ network

subnet 10.10.10.0 255.255.255.0

Creates a network object for the 10.10.10.0/24 subnet, typically used for DMZ hosts.

Understanding the Output

The 'subnet' command does not produce output when executed. It is used within network object configuration mode to define the subnet mask for an IP address. To verify the object, use 'show run object id <name>' or 'show object id <name>'. The output will display the object type (subnet), IP address, and netmask. A healthy configuration shows the correct subnet and mask; problems include mismatched masks or missing objects.

Configuration Scenarios

Configuring Dynamic NAT for an Internal Subnet

An organization wants to translate all internal hosts in 192.168.1.0/24 to a public IP pool 203.0.113.10-203.0.113.20 when accessing the internet.

Topology

Internet --- ASA --- Inside (192.168.1.0/24)

Steps

  1. 1.Create a network object for the internal subnet.
  2. 2.Create a network object for the PAT pool (optional).
  3. 3.Configure dynamic NAT rule referencing the subnet object.
Configuration
! Define internal subnet object
object network INSIDE_SUBNET
 subnet 192.168.1.0 255.255.255.0
! Define PAT pool object
object network PAT_POOL
 range 203.0.113.10 203.0.113.20
! Configure dynamic NAT
nat (inside,outside) source dynamic INSIDE_SUBNET PAT_POOL

Verify: Use 'show nat' to verify the NAT rule. Use 'show xlate' to see active translations.

Watch out: Ensure the subnet object uses the network address, not a host IP. Also, the PAT pool must be defined as a range object.

Troubleshooting with This Command

When troubleshooting issues related to subnet objects, start by verifying the object definition with 'show run object id <name>'. Check that the subnet address and mask are correct. Common issues include using a host address instead of a network address, or a mismatched mask. For NAT problems, use 'show nat' to see if the rule is hit, and 'show xlate' to view translations. If traffic is not being translated, confirm that the subnet object matches the source IP of the traffic. Also, check for overlapping objects or ACLs that might block traffic. Use 'packet-tracer' to simulate traffic and see if NAT is applied. For example: 'packet-tracer input inside tcp 192.168.1.10 12345 8.8.8.8 80'. This will show the NAT translation steps. If the subnet object is not being matched, verify the object name in the NAT rule. Another common issue is forgetting to add the subnet object to an object-group if used in an ACL. Always ensure that the subnet object is correctly referenced.

CCNA Exam Tips

1.

Remember that 'subnet' is used inside network object configuration, not globally.

2.

Know that the subnet command is often paired with 'nat' statements for dynamic or static translations.

3.

Be aware that ASA uses network objects for both NAT and ACLs; subnet objects are reusable.

Common Mistakes

Forgetting to enter network object configuration mode before using 'subnet'.

Using 'subnet' with a host IP instead of a network address (e.g., 192.168.1.1 instead of 192.168.1.0).

Omitting the netmask or using an incorrect mask, causing NAT to fail.

Platform Notes

On Cisco ASA, the 'subnet' command is used within object configuration mode, which is different from Cisco IOS where network objects are not used. In IOS, you typically define ACLs directly with subnet masks. ASA's object-oriented approach allows for more modular configuration. Equivalent commands on other platforms: On Palo Alto, you define address objects with a similar concept. On Juniper SRX, you use address-sets. ASA version differences: In ASA 8.3+, network objects are mandatory for NAT; earlier versions used 'nat' commands with ACLs. The 'subnet' command is consistent across ASA versions 8.3 and later.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions