ASA5512 static nat

jay.phalak — Tue, 12 Mar 2019 05:05:36 GMT

HI,

There is an issue while adding host static nat.

I added a static nat to from 192.168.64.22/32 to x.x.46.230.

There is more NAT with 192.168.64.0/24 to any on "outside" interface.

When I check whatismyipaddress on 192.168.64.22/32 it shows x.x.46.247. (x.x.46.247 is outside interface IP). It should show x.x.46.230.

Please guide to resovle this.

Thanks...

Hi, Sounds to me like the

Jouni Forss — Mon, 17 Nov 2014 09:38:33 GMT

Hi,

Sounds to me like the order of the NAT configurations is wrong if that is happening.

We would need the output of the following command

show run nat

You should partially remove the public IP addresses in the output.

What I suspect you have in your configuration is something like this (not exactly like this ofcourse)

nat (inside,outside) source dynamic any interface

object network STATIC
host <internal ip>
nat (inside,outside) static <public ip>

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static <internal ip object> <public ip object>

In both of the above cases the Dynamic PAT configurations using the "interface" IP address would be highest priority and all hosts would use this NAT IP address. The only difference with the above examples is that the first ones uses Dynamic PAT with Manual NAT (Section 1) and Static NAT with Network Object NAT / Auto NAT (Section 2) and the second example uses Dynamic PAT with Manual NAT (Section 1) and Static NAT with Manual NAT (Section 1).

The above might not say anything to you but what I am basically saying is that your Dynamic PAT configuration might be set to the highest priority based on its configuration format and therefore any added NAT configuration might not be applied for the internal users. But as we can see any of your configurations its just guessing on my part. Usually it would be good to have the related configurations mentioned in the original post when asking about issues related to them.

If the Dynamic PAT is the problem the usual thing to correct the problem is to change the Dynamic PAT configurations to something like this

nat (inside,outside) after-auto source dynamic any interface

The only difference there is the parameter "after-auto" which essentially means that this NAT configurations will be after the Auto NAT configurations (which were at Section 2 in priority) which would make this Dynamic PAT configurations a Manual NAT in Section 3.

Hope I made any sense.

Hope it helps 🙂

- Jouni

topic Hi, Sounds to me like the in Network Security

ASA5512 static nat

Hi, Sounds to me like the