https://community.cisco.com/t5/network-security/asa-5510-9-2/m-p/2861375#M167117 <P>Hello everyone,</P> <P></P> <P>Please can you help me about a rule static Nat one to one is not working well. IN the rule I have three services or three ports tcp 3299, 3200 and 3300, this ports are Nating by the IP address &nbsp;P.P.P.P, when I try test the conection from the outside, the port open correctly, the IP addres P.P.P.P recive the traffic but the outside interface with IP address Y.Y.Y.Y is used for outgoing of this traffic, this is not correct, the traffic outgoing should use the IP Address P.P.P.P and recibe traffic from these ports over the P.P.P.P address.</P> <P></P> <P>This is my current configuration:</P> <P></P> <P><STRONG>object network Server</STRONG></P> <P><STRONG>host h.h.h.h</STRONG></P> <P><STRONG>nat (inside,outside) static P.P.P.P service tcp 3299 3299</STRONG></P> <P></P> <P><STRONG>access-list outside_in extended permit tcp any4 host h.h.h.h eq 3299</STRONG></P> <P></P> <P>Any comment is well thank you very much.</P> <P></P> <P></P> Tue, 12 Mar 2019 07:45:43 GMT Lucio Garrido 2019-03-12T07:45:43Z https://community.cisco.com/t5/network-security/asa-5510-9-2/m-p/2861375#M167117 <P>Hello everyone,</P> <P></P> <P>Please can you help me about a rule static Nat one to one is not working well. IN the rule I have three services or three ports tcp 3299, 3200 and 3300, this ports are Nating by the IP address &nbsp;P.P.P.P, when I try test the conection from the outside, the port open correctly, the IP addres P.P.P.P recive the traffic but the outside interface with IP address Y.Y.Y.Y is used for outgoing of this traffic, this is not correct, the traffic outgoing should use the IP Address P.P.P.P and recibe traffic from these ports over the P.P.P.P address.</P> <P></P> <P>This is my current configuration:</P> <P></P> <P><STRONG>object network Server</STRONG></P> <P><STRONG>host h.h.h.h</STRONG></P> <P><STRONG>nat (inside,outside) static P.P.P.P service tcp 3299 3299</STRONG></P> <P></P> <P><STRONG>access-list outside_in extended permit tcp any4 host h.h.h.h eq 3299</STRONG></P> <P></P> <P>Any comment is well thank you very much.</P> <P></P> <P></P> Tue, 12 Mar 2019 07:45:43 GMT https://community.cisco.com/t5/network-security/asa-5510-9-2/m-p/2861375#M167117 Lucio Garrido 2019-03-12T07:45:43Z https://community.cisco.com/t5/network-security/asa-5510-9-2/m-p/2861376#M167119 <P>Hi</P> <P>The dynamic NAT entry that you have is also a object NAT statement I presume? If you run the command "show nat" the dynamic NAT statement has a lower sequence number in that list.</P> <P>It is better if you use manual NAT statement, instead of an object NAT statement when doing static NAT because manual NAT statements are processed before object NAT statements and you would not run into this problem.</P> <P>Your NAT statement would look like this using manual NAT:</P> <PRE class="prettyprint">object network p-host<BR /> host p.p.p.p<BR /><BR />object service tcp-eq-3299<BR /> service tcp eq 3299<BR /><BR />nat (inside,outside) source static Server p-host service tcp-eq-3299 tcp-eq-3299</PRE> Tue, 17 May 2016 20:27:36 GMT https://community.cisco.com/t5/network-security/asa-5510-9-2/m-p/2861376#M167119 Henrik Grankvist 2016-05-17T20:27:36Z