https://community.cisco.com/t5/network-security/policy-nat-address-pool/m-p/2142539#M361235 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?</P><P></P><P>I think this is because of the NAT ordering.</P><P></P><P>I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way</P><P></P><P></P><P><STRONG>no global (outside) 1 10.130.29.2</STRONG></P><P><STRONG>no nat (inside) 1 access-list nat</STRONG></P><P></P><P></P><P><STRONG>global (outside) 100 10.130.29.2</STRONG></P><P><STRONG>nat (inside) 100 access-list nat</STRONG></P><P></P><P></P><P>Then perhaps "clear xlate" if situation permits.</P><P></P><P>This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.</P><P></P><P>Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.</P><P></P><P>Can you try this out and see how it goes.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 27 Feb 2013 17:19:42 GMT Jouni Forss 2013-02-27T17:19:42Z https://community.cisco.com/t5/network-security/policy-nat-address-pool/m-p/2142538#M361234 <P>I have an internal firewall between two private networks.</P><P>I want all addrssing on the inside to use the gobal and I want any internal address destined for a group of servers on port 23 on the external to use a pool of addreses</P><P></P><P>the inside network is 10.0.0.0/8 and the destination subnet is 10.130.29.0/25. routes exist and connectivity works</P><P></P><P>heres the config</P><P></P><P>global (outside) 1 10.130.29.2</P><P>nat (inside) 1 access-list nat</P><P></P><P>access-list nat deny ip host 10.7.2.206 any</P><P>access-list nat deny ip host 10.7.2.207 any</P><P>access-list nat permit ip any any</P><P></P><P>ive added:</P><P></P><P>object-group network SERVERS</P><P>&nbsp; network-object host 195.104.88.151</P><P>&nbsp; network-object host 195.104.88.152</P><P>&nbsp; network-object host 195.104.88.153</P><P></P><P>access-list serv_acl permit tcp 10.0.0.0 255.0.0.0 object-group SERVERS eq 23</P><P>global (outside) 2 10.130.29.117-10.130.29.126 netmask 255.255.255.128</P><P>nat (inside) 2 access-list serv_acl</P><P></P><P>the SERVERS are destined for another network byond the firewall but I need to translate any address from the internal to pool 2. I can connect using the global but after applying the added config above the connection is still using the global. the xlate was cleared.</P><P>Is the subnet mask correct for the pool?</P><P></P><P>any help appreciated.</P> Tue, 12 Mar 2019 01:06:44 GMT https://community.cisco.com/t5/network-security/policy-nat-address-pool/m-p/2142538#M361234 mickyq 2019-03-12T01:06:44Z https://community.cisco.com/t5/network-security/policy-nat-address-pool/m-p/2142539#M361235 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?</P><P></P><P>I think this is because of the NAT ordering.</P><P></P><P>I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way</P><P></P><P></P><P><STRONG>no global (outside) 1 10.130.29.2</STRONG></P><P><STRONG>no nat (inside) 1 access-list nat</STRONG></P><P></P><P></P><P><STRONG>global (outside) 100 10.130.29.2</STRONG></P><P><STRONG>nat (inside) 100 access-list nat</STRONG></P><P></P><P></P><P>Then perhaps "clear xlate" if situation permits.</P><P></P><P>This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.</P><P></P><P>Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.</P><P></P><P>Can you try this out and see how it goes.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 27 Feb 2013 17:19:42 GMT https://community.cisco.com/t5/network-security/policy-nat-address-pool/m-p/2142539#M361235 Jouni Forss 2013-02-27T17:19:42Z https://community.cisco.com/t5/network-security/policy-nat-address-pool/m-p/2142540#M361236 <HTML><HEAD></HEAD><BODY><P> Thanks Jouni</P><P></P><P>You were exactly right. </P><P>The first policy had 'ip any any' which of course catches all traffic <SPAN __jive_emoticon_name="silly" __jive_macro_name="emoticon" class="jive_macro jive_macro_emoticon" height="1" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif" width="1"></SPAN>. I change the order and it works fine.</P><P></P><P>Thanks again</P><P></P><P>michael</P></BODY></HTML> Thu, 28 Feb 2013 18:22:38 GMT https://community.cisco.com/t5/network-security/policy-nat-address-pool/m-p/2142540#M361236 mickyq 2013-02-28T18:22:38Z