06-12-2013 12:05 PM - edited 03-11-2019 06:56 PM
Hi All,
I'm configuring the nat on a ASA5525 running on 9.1.2 and got 2 questions, 1. Is the below overlap warning message normal and will not cause any issue? 2. Is there a simple way on 8.3 and later to fulfill the same functionality like 8.2 and earlier?
old config on 8.2 and earlier
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 216.19.84.5
new config on 8.3 and later
Edumain(config)# object network inside-to-outside-network
Edumain(config-network-object)# subnet 0.0.0.0 0.0.0.0
Edumain(config-network-object)# nat (inside,outside) dynamic 216.19.84.5
Edumain(config-network-object)# !
Edumain(config-network-object)# object network dmz-to-outside-network
Edumain(config-network-object)# subnet 0.0.0.0 0.0.0.0
Edumain(config-network-object)# nat (dmz,outside) dynamic 216.19.84.5
WARNING: Pool (216.19.84.5) overlap with existing pool.
Edumain(config-network-object)#
Thanks,
Robert
Solved! Go to Solution.
06-12-2013 02:38 PM
Hi,
Basicly, without it the NAT configuration we are adding would be at very high priority and might end up as a result of that overriding some other NAT configurations.
The "after-auto" parameter simply moves the NAT configurations priority to the very bottom of NAT rules. In this case since we are configuring a Dynamic PAT for the usual Internet traffic then its natural that this should be the very last "fallback" translations to which traffic should hit if there isnt any special/specific NAT rule configured for them.
Basically the NAT is divided in 3 Sections.
For a better explanation I would suggest you read through some of the document I made here on the CSC
It can be found here
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
Please remember to mark a reply as the correct answer if I have answered your questions.
Naturally ask more if needed
- Jouni
06-12-2013 12:11 PM
Hi,
Do you have many networks behind "inside" and "dmz"?
I personally configure the basic Dynamic PAT for all my local firewalls interface in this way
If we presume I have
Then I could do this
object-group network DEFAULT-PAT-SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
object network PAT-IP
host 216.19.84.5
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT-IP
I would use the above rather than the Network Object NAT you are using
I guess the following might even be possible in your case
object network PAT-IP
host 216.19.84.5
nat (dmz,outside) after-auto source dynamic any PAT-IP
nat (inside,outside) after-auto source dynamic any PAT-IP
- Jouni
06-12-2013 02:32 PM
Thank you Jouni for your reply.
Can you explain the keyword after-auto? What's the difference between with and without it? I did a research but still confused.
06-12-2013 02:38 PM
Hi,
Basicly, without it the NAT configuration we are adding would be at very high priority and might end up as a result of that overriding some other NAT configurations.
The "after-auto" parameter simply moves the NAT configurations priority to the very bottom of NAT rules. In this case since we are configuring a Dynamic PAT for the usual Internet traffic then its natural that this should be the very last "fallback" translations to which traffic should hit if there isnt any special/specific NAT rule configured for them.
Basically the NAT is divided in 3 Sections.
For a better explanation I would suggest you read through some of the document I made here on the CSC
It can be found here
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
Please remember to mark a reply as the correct answer if I have answered your questions.
Naturally ask more if needed
- Jouni
06-13-2013 06:20 AM
Thank you very much Jouni. I've rated your reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide