https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649192#M200862 <P>Hi. Where is your PAT rule? I can't seem to find it.&nbsp;</P><P>One thing you need to remember is that NAT rules are processed in order, so when you have multiple rules matching a request through the firewall, the first rule that matches will be processed. Why do you have so many static nat rules for printers and other hosts? Which devices do you want to provide internet access to?</P> Mon, 27 Apr 2015 15:58:38 GMT Andre Neethling 2015-04-27T15:58:38Z https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649187#M200751 <P>All,</P><P>&nbsp;</P><P>I've recently started to configure a NAT'ing policy for a cisco ASA 5515 (using FirePower) and I have run into some seriously odd issues. &nbsp;Here's the basic scope.</P><P>Physical Config:</P><P>single upstream (1 Public in a /26)&nbsp;link on ASA rest are downstream</P><P>&nbsp;</P><P>I have multiple Public&nbsp;IPs&nbsp;statically being NAT'd to Multiple private IPs within the network. &nbsp;They exist in the /26 but do not exists in the configuration of any interfaces.</P><P>I want to specifically NAT all outgoing traffic to a single IP as the primary internet drain. (again inside the /26 but no on the outgoing interface)</P><P>There are two weird things happening :</P><P>1. My basic intrinsic NAT for internet drain does not function unless I modify the global_access access list which is not something I want to do.</P><P>2. &nbsp;I have my basic NAT set as a static not a dynamic yet it still functions as a dynamic PAT on a single IP.</P><P>&nbsp;</P><P>The 9.4 NAT documentation seems rather confused on how to proper attain this. &nbsp;Does anyone have any suggestions. &nbsp;I'm rather stumped. &nbsp;As based on the Documentation my config should not even work.</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>NOTE I can provide a heavily obfuscated Config.</P><P>&nbsp;</P><P>Just wondering if people have Seen this issue. &nbsp;The documentation is rife with contradictions and false leads as to what my issue is.</P><P>Thank you,</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:50:00 GMT https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649187#M200751 artemis88 2019-03-12T05:50:00Z https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649188#M200805 <P>Post the config please?</P> Fri, 24 Apr 2015 22:14:09 GMT https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649188#M200805 Andre Neethling 2015-04-24T22:14:09Z https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649189#M200822 <P>Please NOTE Heavily Obfuscated : &nbsp;All public&nbsp;turned to 10.255.</P><P>&nbsp;</P><P>NOTES : &nbsp; &nbsp;</P><P>All Internet Traffic unless it's in a static NAT should be translated to&nbsp;</P><P>10.255.37.60</P><P>Primary Out Interface uses 10.255.37.61</P><P>&nbsp;</P><P>Here is the config</P><P>Connected:@ 2015.04.24 - 08:41 - User Levi Pederson<BR />Type help or '?' for a list of available commands.<BR />saasa&gt; en<BR />Password: ********<BR />saasa# show run<BR />: Saved</P><P>:&nbsp;<BR />: Serial Number:&nbsp;<BR />: Hardware: &nbsp; ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)<BR />:<BR />ASA Version 9.4(1)&nbsp;<BR />!<BR />hostname saasa<BR />domain-name domain.name<BR />enable password encrypted<BR />password encrypted<BR />names<BR />ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0<BR />!<BR />interface GigabitEthernet0/0<BR />&nbsp;nameif inside<BR />&nbsp;security-level 100<BR />&nbsp;ip address 10.10.1.1 255.255.255.240&nbsp;<BR />!<BR />interface GigabitEthernet0/1<BR />&nbsp;nameif emaildmz<BR />&nbsp;security-level 10<BR />&nbsp;ip address 10.10.3.1 255.255.255.0&nbsp;<BR />!<BR />interface GigabitEthernet0/2<BR />&nbsp;no nameif<BR />&nbsp;no security-level<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet0/3<BR />&nbsp;description "DMZ -2"<BR />&nbsp;nameif asa-dmz<BR />&nbsp;security-level 0<BR />&nbsp;no ip address<BR />!<BR />interface GigabitEthernet0/4<BR />&nbsp;nameif mnetworks-outside<BR />&nbsp;security-level 0<BR />&nbsp;ip address dhcp&nbsp;<BR />!<BR />interface GigabitEthernet0/5<BR />&nbsp;nameif outside<BR />&nbsp;security-level 0<BR />&nbsp;ip address 10.255.37.61 255.255.255.192&nbsp;<BR />!<BR />interface Management0/0<BR />&nbsp;management-only<BR />&nbsp;nameif management<BR />&nbsp;security-level 100<BR />&nbsp;ip address 10.50.0.10 255.255.255.0&nbsp;<BR />!<BR />boot system disk0:/asa941-smp-k8.bin<BR />ftp mode passive<BR />clock timezone CST -6<BR />clock summer-time CDT recurring<BR />dns domain-lookup inside<BR />dns server-group DefaultDNS<BR />&nbsp;name-server 10.1.0.4<BR />&nbsp;name-server 10.2.0.4<BR />&nbsp;name-server 10.1.0.55<BR />&nbsp;domain-name domain.name<BR />same-security-traffic permit intra-interface<BR />object network mailgate<BR />&nbsp;host 10.10.3.2<BR />object network HPLJ4300<BR />&nbsp;host 10.2.2.140<BR />object network HPColor-Printer<BR />&nbsp;host 10.2.2.139<BR />object network svpdpc86<BR />&nbsp;host 10.2.2.155<BR />object network svpdpc83<BR />&nbsp;host 10.2.2.156<BR />object network svpdpc84<BR />&nbsp;host 10.2.2.163<BR />object network svpdpc60<BR />&nbsp;host 10.2.2.166<BR />object network pdoff08<BR />&nbsp;host 10.2.0.190<BR />object network svpdpc79<BR />&nbsp;host 10.2.2.118<BR />object network svpdlt25<BR />&nbsp;host 10.2.2.172<BR />object network svpdpc74<BR />&nbsp;host 10.2.2.173<BR />object network svpdpc67<BR />&nbsp;host 10.2.2.174<BR />object network svpdpc27<BR />&nbsp;host 10.2.2.178<BR />object network svpdpc81<BR />&nbsp;host 10.2.2.157<BR />object network HPLJ1320<BR />&nbsp;host 10.2.2.233<BR />object network CableCast<BR />&nbsp;host 10.1.2.124<BR />object network svpdpc78<BR />&nbsp;host 10.2.2.119<BR />object network HPLJ4350<BR />&nbsp;host 10.2.2.191<BR />object network DNSSrv<BR />&nbsp;host 10.1.0.55<BR />object network LaserFiechSrv<BR />&nbsp;host 10.1.0.198<BR />object network emaildmz<BR />&nbsp;host 10.0.1.18<BR />object network glacius<BR />&nbsp;host 10.1.0.165<BR />object network svpdpc45<BR />&nbsp;host 10.2.2.217<BR />object network pdoff06<BR />&nbsp;host 10.2.2.115<BR />object network pdoff01<BR />&nbsp;host 10.2.2.110<BR />object network pdoff03<BR />&nbsp;host 10.2.2.112<BR />object network pdoff02<BR />&nbsp;host 10.2.2.111<BR />object network pdoff05<BR />&nbsp;host 10.2.2.114<BR />object network pdoff04<BR />&nbsp;host 10.2.2.113<BR />object network svpdpc53<BR />&nbsp;host 10.2.2.225<BR />object network ViewSecSrv<BR />&nbsp;host 10.9.0.7<BR />object network svpdpc68<BR />&nbsp;host 10.2.2.228<BR />object network WebTracSrv<BR />&nbsp;host 10.3.0.13<BR />object network WebServer<BR />&nbsp;host 10.1.0.38<BR />object network HPLJ1300n<BR />&nbsp;host 10.2.2.126<BR />object network svpdpc75<BR />&nbsp;host 10.2.2.243<BR />object network HPLJ1320b<BR />&nbsp;host 10.2.0.203<BR />object network svpdpc87<BR />&nbsp;host 10.2.2.167<BR />object network HelpDeskSrv<BR />&nbsp;host 10.1.0.49<BR />object network svpdpc80<BR />&nbsp;host 10.2.2.246<BR />object network svpdpc56<BR />&nbsp;host 10.2.2.190<BR />object network svpdpc64<BR />&nbsp;host 10.2.2.227<BR />object network pdoff07<BR />&nbsp;host 10.2.2.116<BR />object network svpdpc89<BR />&nbsp;host 10.2.2.117<BR />object network FinanceSvr<BR />&nbsp;host 10.1.0.44<BR />object network ENMMailSvr<BR />&nbsp;host 10.51.0.2<BR />object network MailServer<BR />&nbsp;host 10.1.0.20<BR />object network svpdpc85<BR />&nbsp;host 10.2.2.154<BR />object network Source-NAT<BR />&nbsp;host 10.255.37.60<BR />object network Scott-County<BR />&nbsp;host 10.255.27.202<BR />object network county-gcweba<BR />&nbsp;host 156.98.10.33<BR />object network wolfie<BR />&nbsp;host 10.255.27.203<BR />object network ENMNetwork<BR />&nbsp;subnet 10.100.1.0 255.255.255.0<BR />object network access-102-obj-allowed-in<BR />&nbsp;subnet 192.168.100.0 255.255.255.0<BR />&nbsp;description "Allowed Access in to Network 10.0.0.0 255.192.0.0"<BR />object network default-coS-NAT<BR />&nbsp;host 10.255.37.60<BR />object network remote-access-vpn<BR />&nbsp;subnet 192.168.100.0 255.255.255.0<BR />object network VPN-Remote-access<BR />&nbsp;subnet 192.168.100.0 255.255.255.0<BR />object service FirePanel8888<BR />&nbsp;service tcp source eq 8888&nbsp;<BR />object network local-access-01<BR />&nbsp;subnet 10.0.0.0 255.0.0.0<BR />object network AnyConnect-VPN-Pool<BR />&nbsp;subnet 192.168.100.0 255.255.255.0<BR />object network McAfee-SaaS-1st<BR />&nbsp;range Public-1 Public-2<BR />&nbsp;description E-mail Cloud Filtering<BR />object network McAfee-SaaS-2nd<BR />&nbsp;range Public-1 Public-2<BR />&nbsp;description E-mail Cloud Filtering<BR />object network firepanel-public<BR />&nbsp;host 10.255.37.34<BR />object network LaserJet-SO<BR />&nbsp;host 10.2.2.183<BR />object network 10-255-99-27-24<BR />&nbsp;subnet 10.255.27.0 255.255.255.0<BR />object network COS_Source-NAT<BR />&nbsp;subnet 10.0.0.0 255.0.0.0<BR />object-group service DM_INLINE_TCP_1 tcp<BR />&nbsp;port-object eq ftp<BR />&nbsp;port-object eq www<BR />&nbsp;port-object eq pop3<BR />&nbsp;port-object eq smtp<BR />object-group network ASARemoteNetworks<BR />&nbsp;network-object 10.1.0.0 255.255.252.0<BR />&nbsp;network-object 10.9.0.0 255.255.255.0<BR />&nbsp;network-object 10.51.0.0 255.255.255.0<BR />object-group service DM_INLINE_SERVICE_1<BR />&nbsp;service-object ip&nbsp;<BR />&nbsp;service-object tcp destination eq www&nbsp;<BR />&nbsp;service-object tcp destination eq https&nbsp;<BR />&nbsp;service-object tcp destination eq 1081&nbsp;<BR />object-group network ENMPD_REMOTE_NETWORK<BR />&nbsp;network-object 10.102.1.0 255.255.255.0<BR />object-group network COS_LOCAL<BR />&nbsp;network-object 10.1.0.0 255.255.252.0<BR />&nbsp;network-object 10.2.0.0 255.255.252.0<BR />&nbsp;network-object 10.51.0.0 255.255.255.0<BR />&nbsp;network-object 10.9.0.0 255.255.255.0<BR />&nbsp;network-object host 156.98.10.33<BR />&nbsp;network-object host 10.255.27.202<BR />&nbsp;network-object host 10.255.27.203<BR />object-group network ENMPW_REMOTE_NETWORK<BR />&nbsp;network-object 10.101.1.0 255.255.255.0<BR />object-group network COS_LOCAL-PW<BR />&nbsp;network-object 10.1.0.0 255.255.252.0<BR />&nbsp;network-object 10.51.0.0 255.255.255.0<BR />&nbsp;network-object 10.9.0.0 255.255.255.0<BR />object-group service DM_INLINE_TCP_3 tcp<BR />&nbsp;port-object eq www<BR />&nbsp;port-object eq https<BR />object-group protocol TCPUDP<BR />&nbsp;protocol-object udp<BR />&nbsp;protocol-object tcp<BR />object-group service DM_INLINE_SERVICE_3<BR />&nbsp;service-object tcp destination eq 4172&nbsp;<BR />&nbsp;service-object tcp destination eq www&nbsp;<BR />&nbsp;service-object tcp destination eq https&nbsp;<BR />&nbsp;service-object udp destination eq 4172&nbsp;<BR />&nbsp;service-object tcp destination eq 22443&nbsp;<BR />&nbsp;service-object tcp destination eq 8443&nbsp;<BR />object-group network finance-external-hosts<BR />&nbsp;network-object host 108.166.31.220<BR />&nbsp;network-object host 209.198.206.133<BR />&nbsp;network-object host 209.198.206.134<BR />&nbsp;network-object host 209.198.206.135<BR />&nbsp;network-object host 209.198.206.136<BR />object-group network access-102-ogn<BR />&nbsp;network-object 10.10.10.0 255.255.255.0<BR />&nbsp;network-object 10.10.2.0 255.255.254.0<BR />&nbsp;network-object 192.168.100.0 255.255.255.0<BR />object-group service DM_INLINE_TCP_4 tcp<BR />&nbsp;port-object eq www<BR />&nbsp;port-object eq https<BR />object-group service https-udp udp<BR />&nbsp;port-object eq 443<BR />object-group network McAfee-SaaS<BR />&nbsp;description E-mail Cloud Filtering<BR />&nbsp;network-object object McAfee-SaaS-1st<BR />&nbsp;network-object object McAfee-SaaS-2nd<BR />object-group network firepanel-local-ip<BR />&nbsp;network-object host 10.1.0.61<BR />&nbsp;network-object host 10.3.0.9<BR />&nbsp;network-object host 10.6.2.40<BR />&nbsp;network-object host 10.6.2.41<BR />&nbsp;network-object host 10.7.0.20<BR />&nbsp;network-object host 10.8.0.4<BR />&nbsp;network-object host 10.22.0.10<BR />access-list allow-all standard permit any4&nbsp;<BR />access-list 102 extended permit ip 10.0.0.0 255.248.0.0 10.10.10.0 255.255.255.0&nbsp;<BR />access-list 102 extended permit ip 10.0.0.0 255.248.0.0 10.10.2.0 255.255.254.0&nbsp;<BR />access-list 102 extended permit ip 10.0.0.0 255.192.0.0 192.168.100.0 255.255.255.0&nbsp;<BR />access-list 102 extended permit ip object-group COS_LOCAL object-group ENMPD_REMOTE_NETWORK&nbsp;<BR />access-list 102 extended permit ip object-group COS_LOCAL-PW object-group ENMPW_REMOTE_NETWORK&nbsp;<BR />access-list 102 extended permit ip object-group ASARemoteNetworks host 10.253.253.2&nbsp;<BR />access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1&nbsp;<BR />access-list outside_access_in extended permit tcp any object mailgate eq smtp&nbsp;<BR />access-list outside_access_in extended permit tcp object-group McAfee-SaaS object MailServer eq smtp&nbsp;<BR />access-list outside_access_in extended permit tcp any object MailServer object-group DM_INLINE_TCP_3&nbsp;<BR />access-list outside_access_in extended permit tcp host 172.16.12.4 10.255.37.0 255.255.255.192&nbsp;<BR />access-list outside_access_in extended permit tcp 208.38.68.128 255.255.255.192 object svpdpc56 eq 9100&nbsp;<BR />access-list outside_access_in extended permit tcp any object CableCast eq www&nbsp;<BR />access-list outside_access_in extended permit tcp any any eq pptp&nbsp;<BR />access-list outside_access_in extended permit gre any any&nbsp;<BR />access-list outside_access_in extended permit tcp any object HPLJ4300 eq 9100&nbsp;<BR />access-list outside_access_in extended permit object-group TCPUDP any object DNSSrv eq domain&nbsp;<BR />access-list outside_access_in extended permit ip 10.255.27.0 255.255.255.0 object HPLJ4350&nbsp;<BR />access-list outside_access_in extended permit ip object 10-255-99-27-24 object LaserJet-SO&nbsp;<BR />access-list outside_access_in extended permit ip 10.255.27.0 255.255.255.0 object HPLJ1300n&nbsp;<BR />access-list outside_access_in extended permit ip 207.7.154.0 255.255.255.0 object glacius&nbsp;<BR />access-list outside_access_in extended permit tcp any object LaserFiechSrv eq www&nbsp;<BR />access-list outside_access_in extended permit tcp any object HPLJ1320 eq 9100&nbsp;<BR />access-list outside_access_in extended permit tcp any object HPLJ1320b eq 9100&nbsp;<BR />access-list outside_access_in extended permit tcp any object HelpDeskSrv eq www&nbsp;<BR />access-list outside_access_in extended permit tcp any object WebTracSrv object-group DM_INLINE_TCP_4&nbsp;<BR />access-list outside_access_in extended permit udp any object WebTracSrv eq www&nbsp;<BR />access-list outside_access_in extended permit udp any object WebTracSrv eq 443&nbsp;<BR />access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group finance-external-hosts object FinanceSvr&nbsp;<BR />access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 108.166.31.220 object FinanceSvr&nbsp;<BR />access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object ViewSecSrv&nbsp;<BR />access-list outside_access_in extended permit icmp any any log disable&nbsp;<BR />access-list outside_access_in remark Elko New Market Mail Server &nbsp;"ENMMAIL"<BR />access-list emaildmz_access_in extended permit tcp host 10.10.3.2 host 10.1.0.20&nbsp;<BR />access-list emaildmz_access_in extended permit ip host 10.10.3.2 host 10.1.0.20&nbsp;<BR />access-list emaildmz_access_in extended permit ip host 10.10.3.2 host 10.1.0.55&nbsp;<BR />access-list emaildmz_access_in extended permit ip host 10.10.3.2 10.0.0.0 255.192.0.0&nbsp;<BR />access-list emaildmz_access_in extended permit ip host 10.10.3.2 any&nbsp;<BR />access-list ENM-Remote_access_in extended permit ip host 10.253.253.2 object-group ASARemoteNetworks&nbsp;<BR />access-list outside_2_cryptomap extended permit ip object-group COS_LOCAL object-group ENMPD_REMOTE_NETWORK&nbsp;<BR />access-list sfr_redirect extended permit ip any any&nbsp;<BR />access-list VPN_NAT extended permit ip 192.168.100.0 255.255.255.0 any&nbsp;<BR />access-list VPN_NAT extended permit ip 10.102.1.0 255.255.255.0 object SC-local<BR />access-list VPN_NAT extended permit ip 10.102.1.0 255.255.255.0 object SC-local-gwca<BR />access-list global-access extended permit ip any any&nbsp;<BR />access-list Tunnel webtype permit tcp 10.0.0.0 255.0.0.0 log default<BR />pager lines 24<BR />logging enable<BR />logging buffer-size 64000<BR />logging buffered notifications<BR />logging asdm informational<BR />mtu inside 1500<BR />mtu emaildmz 1500<BR />mtu asa-dmz 1500<BR />mtu mnetworks-outside 1500<BR />mtu outside 1500<BR />mtu management 1500<BR />no failover<BR />no monitor-interface service-module&nbsp;<BR />icmp unreachable rate-limit 1 burst-size 1<BR />asdm image disk0:/asdm-741.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />!<BR />object network mailgate<BR />&nbsp;nat (emaildmz,outside) static 10.255.37.3<BR />object network HPLJ4300<BR />&nbsp;nat (inside,outside) static 10.255.37.33<BR />object network HPColor-Printer<BR />&nbsp;nat (inside,outside) static 10.255.37.37<BR />object network svpdpc86<BR />&nbsp;nat (inside,outside) static 10.255.37.38<BR />object network svpdpc83<BR />&nbsp;nat (inside,outside) static 10.255.37.39<BR />object network svpdpc84<BR />&nbsp;nat (inside,outside) static 10.255.37.44<BR />object network svpdpc60<BR />&nbsp;nat (inside,outside) static 10.255.37.47<BR />object network pdoff08<BR />&nbsp;nat (inside,outside) static 10.255.37.49<BR />object network svpdpc79<BR />&nbsp;nat (inside,outside) static 10.255.37.52<BR />object network svpdlt25<BR />&nbsp;nat (inside,outside) static 10.255.37.53<BR />object network svpdpc74<BR />&nbsp;nat (inside,outside) static 10.255.37.54<BR />object network svpdpc67<BR />&nbsp;nat (inside,outside) static 10.255.37.55<BR />object network svpdpc27<BR />&nbsp;nat (inside,outside) static 10.255.37.59<BR />object network svpdpc81<BR />&nbsp;nat (inside,outside) static 10.255.37.31<BR />object network HPLJ1320<BR />&nbsp;nat (inside,outside) static 10.255.37.48<BR />object network CableCast<BR />&nbsp;nat (inside,outside) static 10.255.37.12<BR />object network svpdpc78<BR />&nbsp;nat (inside,outside) static 10.255.37.24<BR />object network HPLJ4350<BR />&nbsp;nat (inside,outside) static 10.255.37.26<BR />object network DNSSrv<BR />&nbsp;nat (inside,outside) static 10.255.37.27<BR />object network LaserFiechSrv<BR />&nbsp;nat (inside,outside) static 10.255.37.11<BR />object network emaildmz<BR />&nbsp;nat (inside,emaildmz) static 10.0.1.18<BR />object network glacius<BR />&nbsp;nat (inside,outside) static 10.255.37.14<BR />object network svpdpc45<BR />&nbsp;nat (inside,outside) static 10.255.37.6<BR />object network pdoff06<BR />&nbsp;nat (inside,outside) static 10.255.37.16<BR />object network pdoff01<BR />&nbsp;nat (inside,outside) static 10.255.37.18<BR />object network pdoff03<BR />&nbsp;nat (inside,outside) static 10.255.37.19<BR />object network pdoff02<BR />&nbsp;nat (inside,outside) static 10.255.37.28<BR />object network pdoff05<BR />&nbsp;nat (inside,outside) static 10.255.37.29<BR />object network pdoff04<BR />&nbsp;nat (inside,outside) static 10.255.37.40<BR />object network svpdpc53<BR />&nbsp;nat (inside,outside) static 10.255.37.41<BR />object network ViewSecSrv<BR />&nbsp;nat (inside,outside) static 10.255.37.42<BR />object network svpdpc68<BR />&nbsp;nat (inside,outside) static 10.255.37.51<BR />object network WebTracSrv<BR />&nbsp;nat (inside,outside) static 10.255.37.20<BR />object network HPLJ1300n<BR />&nbsp;nat (inside,outside) static 10.255.37.25<BR />object network svpdpc75<BR />&nbsp;nat (inside,outside) static 10.255.37.8<BR />object network HPLJ1320b<BR />&nbsp;nat (inside,outside) static 10.255.37.30<BR />object network svpdpc87<BR />&nbsp;nat (inside,outside) static 10.255.37.5<BR />object network HelpDeskSrv<BR />&nbsp;nat (inside,outside) static 10.255.37.35<BR />object network svpdpc80<BR />&nbsp;nat (inside,outside) static 10.255.37.7<BR />object network svpdpc56<BR />&nbsp;nat (inside,outside) static 10.255.37.9<BR />object network svpdpc64<BR />&nbsp;nat (inside,outside) static 10.255.37.15<BR />object network pdoff07<BR />&nbsp;nat (inside,outside) static 10.255.37.22<BR />object network svpdpc89<BR />&nbsp;nat (inside,outside) static 10.255.37.23<BR />object network FinanceSvr<BR />&nbsp;nat (inside,outside) static 10.255.37.50<BR />object network MailServer<BR />&nbsp;nat (inside,outside) static 10.255.37.2<BR />object network svpdpc85<BR />&nbsp;nat (inside,outside) static 10.255.37.32<BR />object network LaserJet-SO<BR />&nbsp;nat (inside,outside) static 10.255.37.10<BR />!<BR />nat (inside,outside) after-auto source static firepanel-local-ip firepanel-public description "Mapped FirePanel Block 10.255.37.34"<BR />nat (inside,outside) after-auto source static any any destination static VPN-Remote-access VPN-Remote-access<BR />nat (inside,outside) after-auto source static LOCAL_NETWORS-COS destination static ENMPD_REMOTE_NETWORK ENMPD_REMOTE_NETWORK<BR />nat (inside,outside) after-auto source static any Source-NAT<BR />nat (inside,outside) after-auto source dynamic COS_Source-NAT Source-NAT<BR />nat (inside,outside) after-auto source dynamic access-102-ogn default-coS-NAT inactive<BR />nat (outside,inside) after-auto source static AnyConnect-VPN-Pool AnyConnect-VPN-Pool destination static local-access-01 local-access-01<BR />access-group emaildmz_access_in in interface emaildmz<BR />access-group outside_access_in in interface outside<BR />route outside 0.0.0.0 0.0.0.0 10.255.37.62 1<BR />route inside 10.0.0.0 255.192.0.0 10.10.1.2 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />aaa-server TACACS+ protocol tacacs+<BR />aaa-server RADIUS protocol radius<BR />user-identity default-domain LOCAL<BR />aaa authentication ssh console LOCAL&nbsp;<BR />sysopt noproxyarp inside<BR />sysopt noproxyarp emaildmz<BR />sysopt noproxyarp asa-dmz<BR />sysopt noproxyarp mnetworks-outside<BR />sysopt noproxyarp management<BR />telnet 10.0.0.0 255.0.0.0 inside<BR />telnet 192.168.10.0 255.255.255.0 inside<BR />telnet Public-2&nbsp;255.255.255.255 outside<BR />telnet 192.168.10.0 255.255.255.0 management<BR />telnet timeout 10<BR />no ssh stricthostkeycheck<BR />ssh 10.0.0.0 255.0.0.0 inside<BR />ssh 192.168.10.0 255.255.255.0 inside<BR />ssh 0.0.0.0 0.0.0.0 outside<BR />ssh public-3 255.255.255.255 outside<BR />ssh timeout 10<BR />ssh version 2<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0<BR />management-access inside<BR />threat-detection basic-threat<BR />threat-detection statistics port<BR />threat-detection statistics protocol<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />ntp authenticate<BR />ntp server 10.1.0.50 source inside prefer<BR />!<BR />class-map inspection_default<BR />&nbsp;match default-inspection-traffic<BR />class-map sfr_cm<BR />&nbsp;match access-list sfr_redirect<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />&nbsp;parameters<BR />&nbsp; message-length maximum client auto<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map&nbsp;<BR />&nbsp; inspect ftp&nbsp;<BR />&nbsp; inspect h323 h225&nbsp;<BR />&nbsp; inspect h323 ras&nbsp;<BR />&nbsp; inspect rsh&nbsp;<BR />&nbsp; inspect rtsp&nbsp;<BR />&nbsp; inspect esmtp&nbsp;<BR />&nbsp; inspect sqlnet&nbsp;<BR />&nbsp; inspect skinny &nbsp;<BR />&nbsp; inspect sunrpc&nbsp;<BR />&nbsp; inspect xdmcp&nbsp;<BR />&nbsp; inspect sip &nbsp;<BR />&nbsp; inspect netbios&nbsp;<BR />&nbsp; inspect tftp&nbsp;<BR />&nbsp; inspect ip-options&nbsp;<BR />&nbsp; inspect icmp&nbsp;<BR />&nbsp;class sfr_cm<BR />&nbsp; sfr fail-open<BR />!<BR />service-policy global_policy global<BR />prompt hostname context&nbsp;<BR />no call-home reporting anonymous<BR />Cryptochecksum:</P> Mon, 27 Apr 2015 15:22:46 GMT https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649189#M200822 artemis88 2015-04-27T15:22:46Z https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649190#M200836 <P>Accidentally Double Posted : deleted</P><P>Levi</P> Mon, 27 Apr 2015 15:23:41 GMT https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649190#M200836 artemis88 2015-04-27T15:23:41Z https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649191#M200851 <P>triple posted - Error</P><P>&nbsp;</P><P>Levi</P> Mon, 27 Apr 2015 15:24:21 GMT https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649191#M200851 artemis88 2015-04-27T15:24:21Z https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649192#M200862 <P>Hi. Where is your PAT rule? I can't seem to find it.&nbsp;</P><P>One thing you need to remember is that NAT rules are processed in order, so when you have multiple rules matching a request through the firewall, the first rule that matches will be processed. Why do you have so many static nat rules for printers and other hosts? Which devices do you want to provide internet access to?</P> Mon, 27 Apr 2015 15:58:38 GMT https://community.cisco.com/t5/network-security/asa-5515-9-4-nat-conundrum/m-p/2649192#M200862 Andre Neethling 2015-04-27T15:58:38Z