Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
0
Helpful
1
Replies

ASA5512 static nat

jay.phalak
Level 1
Level 1

‎11-17-2014 01:18 AM - edited ‎03-11-2019 10:05 PM

HI,

There is an issue while adding host static nat.

I added a static nat to from 192.168.64.22/32 to x.x.46.230.

There is more NAT with 192.168.64.0/24 to any on "outside" interface.

 

When I check whatismyipaddress on 192.168.64.22/32 it shows x.x.46.247. (x.x.46.247 is outside interface IP). It should show x.x.46.230.

 

Please guide to resovle this.

 

Thanks...

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎11-17-2014 01:38 AM

Hi,

 

Sounds to me like the order of the NAT configurations is wrong if that is happening.

 

We would need the output of the following command

 

show run nat

 

You should partially remove the public IP addresses in the output.

 

What I suspect you have in your configuration is something like this (not exactly like this ofcourse)

 

nat (inside,outside) source dynamic any interface

 

object network STATIC
 host <internal ip>
 nat (inside,outside) static <public ip>

 

 

OR

 

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static <internal ip object> <public ip object>

 

In both of the above cases the Dynamic PAT configurations using the "interface" IP address would be highest priority and all hosts would use this NAT IP address. The only difference with the above examples is that the first ones uses Dynamic PAT with Manual NAT (Section 1) and Static NAT with Network Object NAT / Auto NAT (Section 2) and the second example uses Dynamic PAT with Manual NAT (Section 1) and Static NAT with Manual NAT (Section 1).

 

The above might not say anything to you but what I am basically saying is that your Dynamic PAT configuration might be set to the highest priority based on its configuration format and therefore any added NAT configuration might not be applied for the internal users. But as we can see any of your configurations its just guessing on my part. Usually it would be good to have the related configurations mentioned in the original post when asking about issues related to them.

 

If the Dynamic PAT is the problem the usual thing to correct the problem is to change the Dynamic PAT configurations to something like this

 

nat (inside,outside) after-auto source dynamic any interface

 

The only difference there is the parameter "after-auto" which essentially means that this NAT configurations will be after the Auto NAT configurations (which were at Section 2 in priority) which would make this Dynamic PAT configurations a Manual NAT in Section 3.

 

Hope I made any sense.

 

Hope it helps :)

 

- Jouni

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card