topic Static nat breaks dynamic nat, is normal ? in Network Security

Static nat breaks dynamic nat, is normal ?

rizwanr74 — Tue, 12 Mar 2019 03:30:25 GMT

Hi Guys,

We have a public IP pool with /24 mask and we have .14 is being used for dynamic-nat on ASA for a set of inside hosts.

Now, our other firewall admin introduced a second dmz2 interface (with ip: 192.168.75.1/24) and set up a static-nat for all hosts on subnet 192.168.75.0/24 to access the Internet.

Now the issue I face with is that as soon as that static-nat was in place, the dynamic-nat stop working and all hosts being the subnet

10.96.0.0/11 cannot access the internet and this is happening on ASA version 8.4(5). Is this normal?

object network net-10.96.0.0-11

subnet 10.96.0.0 255.224.0.0

nat (Internal,outside) dynamic 205.xxx.xxx.14

object network CVH-AD-TEST-LAB1

subnet 192.168.75.0 255.255.255.0

nat (dmz2,outside) static 205.xxx.xxx.30

Thanks

Rizwan Rafeek.

Static nat breaks dynamic nat, is normal ?

Jouni Forss — Wed, 15 Jan 2014 17:51:18 GMT

Hi,

I am quite not sure why the 2 would have anything to do with eachother. They specifically mention the source and destination interface and also the source network.

Can you confirm with "packet-tracer" that a packet through the ASA would be dropped from the Internet network?

Also, there is no real reason to configure the translation as "static". You should "dynamic" in both as you are attempting to configure Dynamic PAT.

- Jouni

Static nat breaks dynamic nat, is normal ?

rizwanr74 — Wed, 15 Jan 2014 18:43:44 GMT

Hi Jouni,

Thank you very much for your reply.

"You should "dynamic" in both as you are attempting to configure Dynamic PAT."

I could not agree with you more on the above line, but you know not all firewall admin have same level of understanding as to, what need to be done for given a funtion unfortunately.

Yes did a packet-tracer traversing from interenal to outside, destined to a public address such as 4.2.2.2 and it was a complete pass.

I don't have any answer, why this would break the dynamic-nat.

thanks

Static nat breaks dynamic nat, is normal ?

Jouni Forss — Wed, 15 Jan 2014 19:09:50 GMT

Hi,

Could it be that there were also some other configurations made that could have caused this?

Then again you say that the "packet-tracer" test goes through just fine so its pretty strange.

Did you see a Dynamic PAT translation for that traffic in the output? Did it match the configuration you were expecting?

I simple enough firewall environments I tend to configure Dynamic PAT like this for ALL the internal networks

object-group network PAT-SOURCE

network-object

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

Just a basic Dynamic PAT that uses the public IP address on the "outside" interface and accept the source addresses specified inside the "object-group" and the source interface for them can be "any" (so that we can do Dynamic PAT with one command to all of the internal interfaces)

I am not sure if there is a bug involved with your problem. I had an ASA with 8.4 software just stop performing NAT even though it was using a NAT Pool + PAT overload. It went through the pool and ignored the PAT for no obvious reason.

I am not sure would a reload at some point help at all or trying other NAT configurations for the Internal interface if its not working at all at the moment.

Have you been able to determine anything from device logs while attempting connection?

- Jouni