static nat versus dynamic nat

JMCNEL · ‎10-06-2011

we are running 8.4(2) on the asa with the below configuration

we basically have a static for .7 on .25 and a nat for .7 for port direction

with manual nat that takes precedense over auto nat within the object group am I correct that I dont
need the dynamic statement and that its redundant?

object network obj-10.X.0.25-02
host 10.X.0.25

object network obj-10.X.0.25
nat (any,INSIDE) static X.X.X.7 dns

object network obj-10.X.0.25-01
nat (INSIDE,OUTSIDE) static X.X.X.7 service tcp smtp smtp

object network obj-10.X.0.25-02
nat (INSIDE,OUTSIDE) dynamic X.X.X.7

varrao · ‎10-06-2011

Yes thats right manual nat always takes precedence over auto nat. But I am not sure, the ones that you have pasted arer all auto nats.None of them is manual nat.

If you want all of them to work then keep the nats in this order:

object network obj-10.X.0.25-01
nat (INSIDE,OUTSIDE) static X.X.X.7 service tcp smtp smtp

object network obj-10.X.0.25-02
nat (INSIDE,OUTSIDE) dynamic X.X.X.7

object network obj-10.X.0.25

nat (any,INSIDE) static X.X.X.7 dns

The idea is to keep the most specific ones on the top and general one on the bottom.

Thanks,

Varun

Thanks,
Varun Rao