Policy NAT on ASA

Hi. I have a client with a failover 5520 pair. Two DMZs. The client wants to see "some" DMZ servers using the servers' PUBLIC IP addresses "as well as" the DMZ addresses. Is this even possible? If not, it it possible to see some via their translated public IPs and others with the local DMZ addresses? Confused....

Hello,
It's quite possible to have DMZ ip addresses connected to by the 'inside' and have those same servers also connected to by the internet on their public IP addresses (assuming your DMZ is privately addressed and NAT is set up from outside-->dmz)
Is this what you are asking?
--Jason

Similar Messages

Static Policy NAT in VPN conflicts with Static NAT

I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?

Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni

SA520 policy-nat for IPsec

I'm evaluating the SA500 series. Running v1.1.42. I do not immediately see a way to do policy-nat. Does the feature not exist?

It would be like-
access-list POLICY_NAT extended permit ip
static (inside,outside) access-list POLICY_NAT
access-list OUTSIDE_CRYPTOMAP extended permit ip < destination >
Thanks
Ajay

Policy nat address pool

I have an internal firewall between two private networks.
I want all addrssing on the inside to use the gobal and I want any internal address destined for a group of servers on port 23 on the external to use a pool of addreses
the inside network is 10.0.0.0/8 and the destination subnet is 10.130.29.0/25. routes exist and connectivity works
heres the config
global (outside) 1 10.130.29.2
nat (inside) 1 access-list nat
access-list nat deny ip host 10.7.2.206 any
access-list nat deny ip host 10.7.2.207 any
access-list nat permit ip any any
ive added:
object-group network SERVERS
network-object host 195.104.88.151
network-object host 195.104.88.152
network-object host 195.104.88.153
access-list serv_acl permit tcp 10.0.0.0 255.0.0.0 object-group SERVERS eq 23
global (outside) 2 10.130.29.117-10.130.29.126 netmask 255.255.255.128
nat (inside) 2 access-list serv_acl
the SERVERS are destined for another network byond the firewall but I need to translate any address from the internal to pool 2. I can connect using the global but after applying the added config above the connection is still using the global. the xlate was cleared.
Is the subnet mask correct for the pool?
any help appreciated.

Hi,
So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?
I think this is because of the NAT ordering.
I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way
no global (outside) 1 10.130.29.2
no nat (inside) 1 access-list nat
global (outside) 100 10.130.29.2
nat (inside) 100 access-list nat
Then perhaps "clear xlate" if situation permits.
This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.
Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.
Can you try this out and see how it goes.
- Jouni

Policy Nat

Hi all,
Please can someone explain when I should I use Policy Nat?
thanks.

Hi Mike,
Will this be a configuration of policy?
access-list PolicyNAT-Cust1 extended permit ip host Oracle 142.101.64.0 255.255.255.0
access-list PolicyNAT-Cust1 extended permit ip host Oracle 142.101.65.0 255.255.255.0
nat (DMZ-MGMT) 10 access-list PolicyNAT-Cust1 outside
Thanks.

Reverse Natting on asa 8.2

Hi All,
I am currently trying to apply a reverse NAT on asa 8.2 and not sure how to do this. I have done this on asdm 6.2 for asa 8.3 but the options are not simiar on 8.2. Is there a CLI equivelant?
I am trying to Achieve the object below
for any traffic coming from outside interface to the inside interface with any source address to destination 10.X.X.58 then translate it so that it become 192.X.X.X to address 192.X.X.58. This is so that communications can traverse internal network as the server is not ona DMZ.
I have done this on 8.3 (shown below) but do not know if it is possible for 8.2, I have tried replicating the same command on 8.2 but commands are not recognised.
nat (outside,any) source static any 192.X.X.X destination static 10.X.X.X 192.X.X.58
Should I just upgrade to 8.3? never done it before so not sure of the consequences.
Any advise appreciated!

Zahan,
You can actually do it on 8.2 but not for "any" interface. Let's put the sample for outside to inside.
access-list pnat permit ip any host 10.X.X.X
nat (outside) 40 access-list pnat outside
global (inside) 40 192.X.X.X
static (inside,outside) 192.X.X.58 10.X.X.X
Off course NAT on 8.3/8.4 is more flexible than 8.2 so if you can upgrade your ASA it will a good option.
Luis Silva

Policy Nat on cisco router

Hi Dears.
I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be 10.193.115.11 but our local subnet is
10.103.70.0/24. our local subnet is also access to internet.
local subnet: 10.10.3.70.0/24
peer local subnet: 10.193.128.11/23
i think that i must be do policy nat.
1. ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
2. ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
3.ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
And i have also PAT Nat for local user.
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
is this configuration rigth?
please write your comment.
thanks.

ok. thanks.
at last our configuration is that:
access-list 100 deny ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
for vpn traffic:
ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
you said that this configuration is help me for my aim.
thanks again.

Question about configuration of NAT on ASA

Hi all,
I have ASA config with DHCP and its providing IP to users.
ASA is connected to 3550 switch it has direct connection or say default static route
From 3550 switch connection goes to Router and it does the NAT and has connection to outside world.
My question is do i need to configure the NAT inside and global (outside ) on the ASA or not?
As per my understanding NAT is done by router which has connection to ISP.
Thanks
Mahesh

Hi Jennifer,
Thanks for replied.
I tested like this config the NAT on ASA
then as per your reply run the command no nat-control as ASA ver is 8.4
But nat config is still there in ASA.
I did sh xlate it shows
ciscoasa# sh xlate
27 in use, 371 most used
PAT Global 192.168.11.2(33396) Local 192.168.1.5(57177)
PAT Global 192.168.11.2(61657) Local 192.168.1.5(57176)
PAT Global 192.168.11.2(52259) Local 192.168.1.5(57175)
PAT Global 192.168.11.2(30453) Local 192.168.1.5(57174)
I did clear xlate still there is output from the sh xlate
My question is how we test that ASA is nating or not ?
Which commands can tell us that ASA is doing NAT ?
Thanks
MAhesh

PDM does not support Policy nat

I have had to build a vpn on a pix 6.34 using policy nat, however this has now made the pdm pratically unusable, is there a way to do this without disabling the pdm?

Yes it is possible to configure NAT with PDM. Make sure the static NAT configuration is right.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694. For example static (DMZ, inside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0 . Format should always be Static(DMZ, *) if x.x.x.x is on DMZ.

Policy Nat ASA 8.6(1)

Going from a Pix 515E to an ASA 5515 and trying to mirror the configuration. I believe I have most of it correct, but this one issue persists that I'm trying to get resolved. There are a number of vpn tunnels that terminate on the Pix and on some of them the remote party has an overlapping subnet so to remedy this the following configuration was used:
global (outside) 3 192.168.201.0
global (outside) 4 192.168.205.0
nat (inside) 4 access-list NAT1 0 0
nat (inside) 3 access-list NAT 0 0
access-list NAT permit ip 192.168.101.0 255.255.255.0 host 10.100.3.215
access-list NAT1 permit ip 192.168.105.0 255.255.255.0 host 10.100.3.215
This works fine. On the ASA I tried using this:
object network obj-10.100.3.215
host 10.100.3.215
object-group network obj-192.168.105.0_2
network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source dynamic obj-192.168.101.0_2 obj-192.168.201.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source dynamic obj-192.168.105.0_2 obj-192.168.205.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
That didn't work (the tunnel was up because I have a number of other subnets that were able to access the remote party, but not the 2 that need to be nat'd). I cleared this and tried it again w/ the following:
object network obj-10.100.3.215
host 10.100.3.215
object-group network obj-192.168.205.0_2
network-object 192.168.205.0 255.255.255.0
object-group network obj-192.168.201.0_2
network-object 192.168.201.0 255.255.255.0
object-group network obj-192.168.105.0_2
network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source static obj-192.168.101.0_2 obj-192.168.105.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source static obj-192.168.105.0_2 obj-192.168.205.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
If I do a packet-tracer trace it appears to nat properly to a 205.x address, but when I actually attempt it from the pc it fails. Is the syntax correct? I asked for a trace-route from the pc at the time it failed but it wasn't provided.

I am trying to replace an asa 5510 with an asa 5515x. When I try the same nat command as listed above I get this message
"ERROR: This syntax of nat command has been deprecated."
Is there an alternative to nat to an access-list?
Thanks.

ASA policy-nat is working but acl is not hit

Hope you guys can help explain why is it working this strange. Thank you.
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 192.168.100.100 access-list NET1
ciscoasa(config)# show access-list
access-list NET1 line 1 extended permit ip host 10.1.2.27 10.76.5.0 255.255.255.224 (hitcnt=0) 0x19580e75
ciscoasa(config)# show xlate
3 in use, 4 most used
Global 192.168.100.100 Local 10.1.2.27
ciscoasa(config)# show nat
NAT policies on Interface inside:
match ip inside 10.1.2.27 255.255.255.255 outside 10.76.5.0 255.255.255.224
static translation to 192.168.100.100
translate_hits = 9, untranslate_hits = 28

Hi,
It seems as if this is the behavior with access lists that are associated with NAT. I did a few checks around the support forums and found that this could be the issue and there isnt anything to worry about. However if you can move this thread to the firewalling community I am sure they will be able to confirm this for you.
Tarik Admani
*Please rate helpful posts*

Policy NAT 8.6(1)2 Windows Server Cluster

We have 2 email servers in a cluster on the network. I have the cluster IP address configured for Object static NAT. This works great for email coming into our organization. However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address. Thus, the NAT'd address is different than for incoming. It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP. This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers. I've attached a diagram. If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Thanks,
Andrew

Hi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni

Nat/pat asa 5505 asdm ver 8.4

hi all,
i have a problem with portfoarwarding on asa 5505.
i have this situation:
internet ---> pubblic ip address-> router albacom -- 10.0.0.15 ---> -nat farward port 80--10.0.0.1 -outside -firewall asa -inside - 192.168.0.1------------server web 192.168.0.99
the server is not in dmz but it's on the lan network
my user must connect from internet, with any browser http://albacom_pubblic_address and router albacom and then asa firewall must nat and farward the port 80 on server web 192.168.0.99
any idea or tutorial
ths, best regards

Hi Luca,
On the ASA, you would need the following:
object network server_ip
host 192.168.0.99
object service tcp_80
service tcp destination eq 80
nat (outside,inside) source static any any destination static interface server_ip service tcp_80 tcp_80
That would port forward all the request coming on port 80 on the outside interface of the firewall, to your internal server on port 80.
Hope that helps
Thanks,
Varun

Problems with the new NAT in ASA 5510 (8.4)

Hi together,
i have some problems with the NAT statements in ASA Version 8.4.
What i want is to translate the internal address of a server to the external address with a NAT rule.
The ASA has only one WAN connection (named outside)
The internal server has the ip address 192.168.0.221 (as example) and i want to translate all incoming traffic on port 3389 to the Server (192.168.0.221).
This is only for training, i dont want to forward a 3389 port into the BAD in a productive Network
first i create the network object for the inside server (192.168.0.221)
object network Network_Obj_RDP
host 192.168.0.221
After that i create the access rule for incoming traffic on outside interface:
access-list outside_access_in extended permit ip any any log debugging
Next i create a access rule for the inside-prod network to allow the traffic to the RDP Server:
access-list inside-prod_access_in extended permit object RDP interface outside object Network_Obj_RDP
Now i create the NAT rule in the network object (Network_Obj_RDP):
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
But if i want to connect via 3389 on the outside interface i see in the syslog this entry:
Built inbound TCP connection 23248 for outside:80.187.107.132/7445 (80.187.107.132/7445) to inside-prod:192.168.0.221/3389 (External IP/3389)
After a while the connection will be teardown with this message:
Teardown TCP connection 23289 for outside:80.187.107.132/2294 to inside-prod:192.168.0.221/3389 duration 0:00:30 bytes 0 SYN Timeout
It looks like that the acl works fine, but the NAT translation are wrong...
perhaps somebody has a idea to fix this
Looking forward and hope for help...
Many thanks
Greetings

Hi Jouni,
this is the correct Packet Tracer output i think:
packet-tracer input inside-prod tcp 192.168.0.220 3389 8.8.8.8 4567
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-prod_access_in in interface inside-prod
access-list inside-prod_access_in extended permit ip object Network_Obj-Productiv any log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
Additional Information:
Static translate 192.168.0.220/3389 to 80.146.252.162/3389
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 825, packet dispatched to next module
Result:
input-interface: inside-prod
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
That looks preety fine, but the way back isn´t right:
packet-tracer input outside tcp 8.8.8.8 4567 192.168.0.220 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside-prod
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any object Network_Obj_RDP eq 3389 log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside-prod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I have no idea...

Dynamic PAT and Static NAT issue ASA 5515

Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- Bhal

Hi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni

Policy NAT on ASA

Similar Messages

Maybe you are looking for