Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
0
Helpful
3
Replies

ASA5525X - 8.6(1)2 and One-To-One Static Mapping Issue

Go to solution
Robert Ho
Level 1
Level 1

‎09-07-2012 09:34 AM - edited ‎03-11-2019 04:51 PM

Just started working with the post 8.3 CLI.

Traffic from outside to inside is translated correctly, but inside to outside is using the outside Interface IP instead of the mapped IP, 50.50.50.50.

I know I'm missing something small here.

This is the config that was build using ASDM.

Outside IP: 50.50.50.50

Inside IP: 10.10.10.10

object network TEST

host 50.50.50.50

description One-To-One NAT 50.50.50.50/10.10.10.10

!

object network TEST-priv

host 10.10.10.10

description One-To-One NAT 50.50.50.50/10.10.10.10

!

object network TEST-priv

nat (inside,outside) static TEST

!

nat (inside,outside) source dynamic IN2OUT interface description PAT Overload Using Interface Public IP

!

object network IN2OUT

subnet 0.0.0.0 0.0.0.0

description Inside To Outside NAT

!

Note: ASDM created object TEST-priv twice. One on top and one below the NAT configs.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-07-2012 09:38 AM

Hello Robert,

The problem here is the nat order.

Twice nat are review first so in order to make this work do the following on the CLI.

no nat (inside,outside) source dynamic IN2OUT interface description PAT Overload Using Interface Public IP

nat (inside,outside) after-auto source dynamic IN2OUT interface description PAT Overload Using Interface Public IP

Remember to rate all of the answers, for the community that is more important that a thank

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-07-2012 09:38 AM

Hello Robert,

The problem here is the nat order.

Twice nat are review first so in order to make this work do the following on the CLI.

no nat (inside,outside) source dynamic IN2OUT interface description PAT Overload Using Interface Public IP

nat (inside,outside) after-auto source dynamic IN2OUT interface description PAT Overload Using Interface Public IP

Remember to rate all of the answers, for the community that is more important that a thank

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Robert Ho
Level 1
Level 1
In response to Julio Carvajal

‎09-07-2012 09:49 AM

looks like it is working, thanks!

so, best practice is to create the global nat entry at the very end?

do i still need to do this after creating additional mappings, or is this a one time deal?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Robert Ho

‎09-07-2012 10:02 AM

Hello Robert,

The best practice is to place the general rules at the bottom, the specific ones at the top.

Order of NAT rules 8.3:

Twice Nat

Auto Nat

After Auto Nat

Regards,

Remember to rate all the helpul posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card