03-24-2013 09:59 PM - edited 03-11-2019 06:19 PM
Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- Bhal
03-24-2013 10:13 PM
Hi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni
03-24-2013 10:14 PM
Baltazar,
Static NAT and PAT can operate at the same time without any problems. Static NAT actually takes precedence over Dynamic NAT.
On the ASA besides adding NAT rules, you need to open your ACLs so that the trafic can pass from the Internet to your internal servers. Make sure you have done this otherwise you wont be able to see the servers from outside. Take a look at this doc, it might help:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
Perhaps if you give us more details about what you are trying to do, and post your current config we can take a look and point you in the right direction.
Regards,
Raga
03-24-2013 10:22 PM
Hi Guys,
I'll try that recommendation and i'll get back to you if this will work. Thank you so much for their help specially JouniForss for keeping your sources provided to me. Thank you again guys.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide