Re: NAT working but PAT not.

vnix18227 · ‎09-27-2010

With the below given configuration on my pix firewall, NAT is working properly and three local ip get mapped to x.x.x.43-45 public ips but PAT is not working.

ip address ouside x.x.x.42

ip address inside 192.168.12.1

global(outside) 1 x.x.x.43-x.x.x.45

global(outside) 1 x.x.x.46

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Whats wrong with my entries, please lead me in right direction.

Thanks

Diego Armando Cambronero Arias · ‎09-27-2010

Your PAT configuration seems to be the right.

Could you add a show run interface and a show run nat and a show run global?

Just to check everything.

Jay Johnston · ‎09-27-2010

Vishek,

When inside hosts are subjected to NAT on the firewall, the firewall will first try to exhaust the one-to-one mapping specified by your range of global IPs. Only when a fourth inside host attempts a connection outbound will the firewall create a PAT translation. You said you had three inside PCs, and that would account for why the PAT entry is not being used.

Basically, the firewall only uses the dynamic PAT ips if it must, and tries to use the static nat entries if there are some free.

- Jay

Diego Armando Cambronero Arias · ‎09-27-2010

ishesh kumar do you have only 3 host in the inside. If that so you do not need the PAT because every host has an ip available the PAT in this case is gonna work when the pool is full. Just like Jay said

vnix18227 · ‎09-27-2010

No my network not have only three host but more than 15 host are there. Since i have only four public ips so i can't use one to one NAT .

Thanks

Jay Johnston · ‎09-28-2010

Vishesh,

The output of 'show xlate' or 'show xlate detail' (depending on the ASA version) would indicate what xlates are built using which global IPs.

Also, checking the syslogs for messages around the time that the hosts attempt an outbound connection might show more about what is going wrong.

- Jay