Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1345
Views
0
Helpful
4
Replies

Got warning message when configuring nat on 8.3 and later

Go to solution
robert.huang
Level 1
Level 1

‎06-12-2013 12:05 PM - edited ‎03-11-2019 06:56 PM

Hi All,

I'm configuring the nat on a ASA5525 running on 9.1.2 and got 2 questions, 1. Is the below overlap warning message normal and will not cause any issue? 2. Is there a simple way on 8.3 and later to fulfill the same functionality like 8.2 and earlier?

old config on 8.2 and earlier

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 216.19.84.5

new config on 8.3 and later

Edumain(config)# object network inside-to-outside-network

Edumain(config-network-object)#  subnet 0.0.0.0 0.0.0.0

Edumain(config-network-object)#  nat (inside,outside) dynamic 216.19.84.5

Edumain(config-network-object)# !

Edumain(config-network-object)# object network dmz-to-outside-network

Edumain(config-network-object)#  subnet 0.0.0.0 0.0.0.0

Edumain(config-network-object)#  nat (dmz,outside) dynamic 216.19.84.5

WARNING: Pool (216.19.84.5) overlap with existing pool.

Edumain(config-network-object)#

Thanks,

Robert

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robert.huang

‎06-12-2013 02:38 PM

Hi,

Basicly, without it the NAT configuration we are adding would be at very high priority and might end up as a result of that overriding some other NAT configurations.

The "after-auto" parameter simply moves the NAT configurations priority to the very bottom of NAT rules. In this case since we are configuring a Dynamic PAT for the usual Internet traffic then its natural that this should be the very last "fallback" translations to which traffic should hit if there isnt any special/specific NAT rule configured for them.

Basically the NAT is divided in 3 Sections.

  • Section 1 would be the commands without the "after-auto". These are called Twice NAT / Manual NAT
  • Section 2 would be the commands that are configured under "object network" also called Network Object NAT
  • Section 3 would be the commands with the "after-auto". These are also called Twice NAT / Manual NAT

For a better explanation I would suggest you read through some of the document I made here on the CSC

It can be found here

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please remember to mark a reply as the correct answer if I have answered your questions.

Naturally ask more if needed

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-12-2013 12:11 PM

Hi,

Do you have many networks behind "inside" and "dmz"?

I personally configure the basic Dynamic PAT for all my local firewalls interface in this way

If we presume I have

  • LAN 10.10.10.0/24
  • DMZ 192.168.10.0/24

Then I could do this

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

object network PAT-IP

host 216.19.84.5

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE PAT-IP

I would use the above rather than the Network Object NAT you are using

I guess the following might even be possible in your case

object network PAT-IP

host 216.19.84.5

nat (dmz,outside) after-auto source dynamic any PAT-IP

nat (inside,outside) after-auto source dynamic any PAT-IP

- Jouni

0 Helpful

Go to solution
robert.huang
Level 1
Level 1
In response to Jouni Forss

‎06-12-2013 02:32 PM

Thank you Jouni for your reply.

Can you explain the keyword after-auto? What's the difference between with and without it? I did a research but still confused.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to robert.huang

‎06-12-2013 02:38 PM

Hi,

Basicly, without it the NAT configuration we are adding would be at very high priority and might end up as a result of that overriding some other NAT configurations.

The "after-auto" parameter simply moves the NAT configurations priority to the very bottom of NAT rules. In this case since we are configuring a Dynamic PAT for the usual Internet traffic then its natural that this should be the very last "fallback" translations to which traffic should hit if there isnt any special/specific NAT rule configured for them.

Basically the NAT is divided in 3 Sections.

  • Section 1 would be the commands without the "after-auto". These are called Twice NAT / Manual NAT
  • Section 2 would be the commands that are configured under "object network" also called Network Object NAT
  • Section 3 would be the commands with the "after-auto". These are also called Twice NAT / Manual NAT

For a better explanation I would suggest you read through some of the document I made here on the CSC

It can be found here

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please remember to mark a reply as the correct answer if I have answered your questions.

Naturally ask more if needed

- Jouni

0 Helpful

Go to solution
robert.huang
Level 1
Level 1
In response to Jouni Forss

‎06-13-2013 06:20 AM

Thank you very much Jouni. I've rated your reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card