Showing results for 
Search instead for 
Did you mean: 

Need quick solution on NAT'g ASA 8.4

Hi Guys,

Here is the scenario:

Source (Inside) : NAT IP: (from the same Inside network)

Destination, learnt via outside: (not directly connected ,three hops away from outside interface of FW)

If I initiate a connection from to, it should take me to network that is learnt via outside interface (not directly connected),

Can you please help me what NAT and route solutions are required to accomplish this? Cisco ver 8.4.

Your quick help is appreciated.

9 Replies 9

Jouni Forss
VIP Alumni
VIP Alumni


To my understanding the format should be the followin

object network SOURCE-HOST




object network DESTINATION-REAL


nat (inside,outside) source static SOURCE-HOST SOURCE-HOST destination static DESTINATION-MAPPED DESTINATION-REAL

Do note that the above doesnt NAT the SOURCE-HOST at all. Is there need to NAT the SOURCE-HOST?

Hope this helps

Check out my NAT 8.3+ Document for some information of the new NAT format and operation. It still has some pretty basic information. Plans are to expand the content at some point.

- Jouni

Thanks Jouni...I am going to check this out now..To make sure you understood correctly, the connection is initiated from Inside network and destination IP is same as the inside network, but it should take him to which is the real IP of a host learnt via outside Interface..I am confirming the source host is not NAT'ed..Please clarify if there is any change required.


I am just wondering the following.

The above configuration should handle everything you have stated in the original post. But I wonder since we are NOT NATing the source address and it will therefore show to the remote host with its original IP address WILL the host have a route towards the IP/network Or should we also NAT to show up as coming from some NAT IP towards the host for which it has a route? For example some IP address on the side of the "outside" interface?

- Jouni

Thanks Jouni...per requirement, the source is not needed to be translated...Just a question out of curiosity, the firewall has proxy arp disabled on all interfaces (eg., sysopt noproxyarp inside). do we need to enable them ? once the destination is translated to, outside interface knows how to route it is proxy arp not needed? am going to test it out in 10 mins..pls standby for the update..


I am not quite sure about the Proxy ARP in this case. I am not sure about the fact that since you can configure Proxy ARP settings in the NAT in certain software that will this override the "sysopt" configuration even if the ASA is globally set to disable Proxy ARP on a certain interface.

What is the exact version number of the 8.4(x) software you are using?

I guess the NAT configurations like this should have Proxy ARP enabled by default starting from 8.4(2)

What I meant with the source IP address NAT was that with the above NAT configuration the host will see the connection coming from the source IP address of (since we are not NATing it) and I wonder if the host has a route for this IP address in its closest L3 device? Or would we need to NAT the IP to something the host actually has return route for.

- Jouni

It did not work...its 8.4(2)...sysopt noproxyarp inside is in running config. I did arp realtime capture on inside interface:


arp who-has tell


So you could see an ARP query but no answer from the ASA?

I guess you will have to try with "no sysopt noproxyarp inside"

I am not sure how your network and inside interface is configured so I am not sure will changing this setting have any effect on your networks operation.

Usually it might be a problem when you have hosts directly connected to the ASA in a L2 network and the hosts need to communicate with eachother and in this case the ASA might reply to ARP querys it shouldnt.

I would also monitor the logs through ASDM while attempting the connections to see what happens. And also to confirm that the correct NAT rule is hit.

This you can confirm with "packet-tracer" also which output you could take for us

packet-tracer input inside tcp 12345

- Jouni

Packet tracer shows no problem. it hits the right NAT command (I tried using auto NAT as well)

object network obj-

nat (outside,inside) static

No drops in hte packet tracer. probably, we need to check by enabling proxy arp in inside. is there anything are we missing to make this work?


Well if it doesnt work with Proxy ARP disabled I would test with Proxy ARP enabled as I said above. But I dont know how your network is built. I mean could this setting change cause any problems.

If the "inside" hosts use the ASA as their gateway you should be able to see on the host directly if it can get a ARP of the NAT IP address you configured.

For example in the Windows Command prompt

arp -a

- Jouni

Review Cisco Networking for a $25 gift card