cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
0
Helpful
5
Replies

NAT working but PAT not.

vnix18227
Level 1
Level 1

With the below given configuration on my pix firewall, NAT is working properly and three local ip get mapped to x.x.x.43-45 public ips but PAT is not working.

ip address ouside x.x.x.42

ip address inside 192.168.12.1

global(outside) 1 x.x.x.43-x.x.x.45

global(outside) 1 x.x.x.46

nat (inside) 1  0.0.0.0 0.0.0.0 0 0

      Whats wrong with my entries, please lead me in right direction.

Thanks

5 Replies 5

Your PAT configuration seems to be the right.

Could you add a show run interface and a show run nat and a show run global?

Just to check everything.

Jay Johnston
Cisco Employee
Cisco Employee

Vishek,

     When inside hosts are subjected to NAT on the firewall, the firewall will first try to exhaust the one-to-one mapping specified by your range of global IPs. Only when a fourth inside host attempts a connection outbound will the firewall create a PAT translation. You said you had three inside PCs, and that would account for why the PAT entry is not being used.

Basically, the firewall only uses the dynamic PAT ips if it must, and tries to use the static nat entries if there are some free.

- Jay

ishesh kumar do you have only 3 host in the inside. If that so you do not need the PAT because every host has an ip available the PAT in this case is gonna work when the pool is full. Just like Jay said

vnix18227
Level 1
Level 1

No my network not have only three host but more than 15 host are there. Since i have only four public ips so i can't use one to one NAT .

Thanks

Vishesh,

The output of 'show xlate' or 'show xlate detail' (depending on the ASA version) would indicate what xlates are built using which global IPs.

Also, checking the syslogs for messages around the time that the hosts attempt an outbound connection might show more about what is going wrong.

- Jay

Review Cisco Networking for a $25 gift card