cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3696
Views
0
Helpful
3
Replies

Dynamic PAT and Static NAT issue ASA 5515

bhalbautista
Level 1
Level 1

Hi All,

Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!

- Bhal

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.

The very basic configured for Static NAT and Default PAT I would do in the following way

object network STATIC

host

nat (inside,outside) static dns

object-group network DEFAULT-PAT-SOURCE

network-object

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)

This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules

You can also check out a NAT document I made regarding the new NAT configuration format and its operation.

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

- Jouni

raga.fusionet
Level 4
Level 4

Baltazar,

Static NAT and PAT can operate at the same time without any problems. Static NAT actually takes precedence over Dynamic NAT.

On the ASA besides adding NAT rules, you need to open your ACLs so that the trafic can pass from the Internet to your internal servers. Make sure you have done this otherwise you wont be able to see the servers from outside. Take a look at this doc, it might help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Perhaps if you give us more details about what you are trying to do, and post your current config we can take a look and point you in the right direction.

Regards,

Raga

bhalbautista
Level 1
Level 1

Hi Guys,

I'll try that recommendation and i'll get back to you if this will work. Thank you so much for their help specially JouniForss for keeping your sources provided to me. Thank you again guys.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: