Marius, thank you for your answer!

I just can not understand how to make what you have described.

That is what i have now:

---------------------------------------------------------------------------------------------
interface Ethernet0/0
nameif External
security-level 0
ip address *.*.*.10 255.255.255.240
!
interface Ethernet0/1
nameif Internal1_lan
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
nameif Internal2_lan
security-level 95
ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/3
nameif wi-fi_lan
security-level 50
ip address 192.168.0.1 255.255.255.0
!

object network Adm1
nat (Internal1_lan,External) static interface service tcp 4512 45123

!
nat (Internal1_lan,External) after-auto source dynamic any interface
nat (Internal2_lan,External) after-auto source dynamic any interface
nat (wi-fi_lan,External) after-auto source dynamic any interface

------------------------------------------------------------------------------------------------

I tried to do so:

      no nat after-auto 3
      object network wi-fi_ext_ip
        host *.*.*.11
      nat (wi-fi_lan,External) after-auto 3 source dynamic any wi-fi_ext_ip

and the Internet on wi-fi interface was gone =(

Is there any specific reason why you are using the NATs after-auto?

Try to following configuration instead:

object network wi-fi_lan_ip

subnet 192.168.0.0 255.255.255.0

nat (wi-fi,External) source dynamic *.*.*.11

That is all because this is exists:

object network Adm1
nat (Internal1_lan,External) static interface service tcp 4512 45123

!
nat (Internal1_lan,External) after-auto source dynamic any interface
nat (Internal2_lan,External) after-auto source dynamic any interface
nat (wi-fi_lan,External) after-auto source dynamic any interface

If I set that rule after main NAT rules, it doesn't works.

Maybe this is not correct... but i don't know the other way to make it work.

so, i tried to do as you said:

gw-v(config)# object network wi-fi_lan_ip

gw-v(config-network-object)# subnet 192.168.0.0 255.255.255.0

gw-v(config-network-object)# nat (wi-fi,external) source dynamic *.*.*.11

ERROR: % Incomplete command

after that, I tried to do so:

gw-v(config-network-object)# exit

gw-v(config)# nat (wi-fi,external) source dynamic *.*.*.11

ERROR: % Incomplete command

gw-v(config)# nat (wi-fi,external) source dynamic *.*.*.11 ?

configure mode commands/options:
  WORD       Specify object or object-group name for mapped source
  interface  Specify interface NAT
  pat-pool   Specify object or object-group name for mapped source pat pool

my bad remove the source keyword

object network wi-fi_lan_ip

subnet 192.168.0.0 255.255.255.0

nat (wi-fi,External) dynamic *.*.*.11

remember that the nat statement should be nested under the object network wi-fi_lan_ip

Well, I tried to implement that configuration, but failed to get internet connection =(

Also I tried to do this in ASDM:

... failed again.

If I remove flag "Add Automatic Address Translation Rules" everything works fine, but on the same external ip.

Maybe there is any way to verify correctness of config?

I can give more info, just tell me what is necessary.

Hi,

To be honest the original configuration you had was pretty much the one I would have used. I prefer using Auto NAT for Static NAT and Static PAT while I use Manual NAT (Section 3) for the basic Dynamic PAT/NAT rules.

Naturally in that configuration you were still using the "interface" IP address rather than the other public IP address provided by your ISP

So you had this originally

nat (Internal1_lan,External) after-auto source dynamic any interface

nat (Internal2_lan,External) after-auto source dynamic any interface

nat (wi-fi_lan,External) after-auto source dynamic any interface

You would have needed to do this to change the "wi-fi_lan" Dynamic PAT address

object network PAT-x.x.x.11

host x.x.x.11

no nat (wi-fi_lan,External) after-auto source dynamic any interface

nat (wi-fi_lan,External) after-auto source dynamic any PAT-x.x.x.11

Naturally the "object" name can be anything you want it to be.

The above configuration should make it possible for the Wifi to have its own Dynamic PAT IP address when using the Internet.

You can confirm the translation by using the "packet-tracer" command on the CLI

packet-tracer input wi-fi_lan tcp 192.168.0.100 12345 8.8.8.8 80

The output should tell us what the Dynamic PAT translation IP address for this simulated connection/packet would be.

If the traffic is still PATing to the "interface" IP address there is a possibility that you have some overriding NAT rule on the firewall. Naturally its also possible that there is some problem on the ISP side. The "packet-tracer" command will tell if the configurations are correct.

- Jouni

Have you verified that the *.*.*.11 address is routed to the outside interface of the ASA, or is within the subnet of the outside interface IP?

Could you post a full configuration of your ASA (change any sensitive information contained within the configuration)