Static Nat translation

Similar Messages

• ASA 8.2.1 static nat translation

  Hello,
  i want to ask for this:
  On ASA version 8.2.1 is configured static translation like this:
  static (Inside,Outside)  5.5.5.100 192.168.1.5 netmask 255.255.255.255
  what is a static 1:1 mapping between Outside and Inside IP.
  This translation create mapping from outside to local PC. But it translate for example RDP session port 3389 to port 3389 what is not a very good solution (i can use access-lists to restrict access from outside of course, but is a bit limiting)...
  So i want to have "exception" only for one port to map it to other port on this public IP and other use with no change. 
  I can do: static (Inside,Outside)  tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255, but can´t it use together with 1:1 static statement.
  Maybe i can use:
  global (outside) 2 5.5.5.100
  nat (Inside) 2 access_list PC
  access-list PC extended permit ip host 192.168.1.5 any 
  and then static (Inside,Outside)  tcp 5.5.5.100 123456 192.168.1.5 3389 netmask 255.255.255.255
  But is this a right way how to deal with this problem?
  Thank you very much. 

  Why do you need the 1 to 1 static for that PC if you just want to do port forwarding? Is there some requirement that desktop has a static IP address on the public internet?
  If you must keep the 1 to 1, you can pretty easily change the port that PC listens on for remote desktop. That policy NAT example you have might work also.

• VPN Server under Static NAT. Any advices?

  Hi there,
  Is it possible to setup a VPN server in DMZ under a static NAT translation? I have 2911 as an edge router, another 2951 as a firewall with four zones - inside1, inside2, outside, dmz. All IP addressing between edge and firewall is private. The web and mail servers are working in DMZ under static NAT. The question is - can I also setup VPN server in DMZ under the static NAT? The clients establishing VPN tunnels will work with DMZ servers (other servers) only. Thanks!

  We featured your question on the Cisco Support Community Facebook page. Check out some of the responses here: http://www.facebook.com/CiscoSupportCommunity/posts/269198139851698
  Posted by WebUser Cisco NetPro from Cisco Support Community App

• No translation group for a statically nat'd ip connecting to an external IP of a device in the same subnet

  Hi, 
  I've currently got an issue where I have a device configured with static nat that is trying to communicate to a nat'd ip address of a device in the same subnet.
  I'm getting "No translation grou found for tcp src sourceip/80 dst destip/80.
  I'm not 100% which areas of the config to post.
  Cheers,
  Neil

  Did you set the interface binding order correctly or to match the previous server?
  DNS: Valid network interfaces should precede invalid interfaces in the binding order
  http://technet.microsoft.com/en-us/library/dd391967(v=WS.10).aspx
  Modify the protocol bindings and network provider order
  http://technet.microsoft.com/en-us/library/cc732472(v=WS.10).aspx
  An incorrect IP address is returned when you ping a server by using its NetBIOS name in Windows Server 2008 or in Windows Server 2008 R2
  http://support2.microsoft.com/kb/981953
  You can view your current binding order by using this script, but please note, that I haven't tried this script, yet:
  Show NIC Binding Order
  http://gallery.technet.microsoft.com/scriptcenter/Get-NIC-Binding-Order-a2dc8087
  Also, prior to setting up the teams, make sure that the NIC is set to obtain IP automatically and not have a static entry on it. I've seen this cause problems in the past.
  If you have any unused NICs, such as Local Area Connection 2, don't just unplug them. You must disable them, otherwise they will try to register the APIPA in DNS and that will cause problems.
  Make sure that the correct DNS are on the interfaces that you need to use, too.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Static NAT with port translation

  Hello All,
  I have a server running web application on 443 and now I want to publish it on Internet with static nat and just for port 443,  I am thinking that following configuration should be fine, can anyone comment on it.
    10.1.1.2:443         10.1.1.1    2.2.2.5
  Server -------------------------- ASA --------------------- Internet router --Cloud
  Config  i am planing      
  static (inside, outside) tcp 2.2.2.2 443 10.10.10.10 443 netmask 255.255.255.255
  Thanks
  JD

  Thanks Harish and Jouni,
  I am using extra Public IP, I want to now why "dns" is the end of access list? I got confuse by at ACL as we I was looking for ASA packet flow:-
  A/PIX - Outside (Lower SEC_Level) to Inside (Higher Sec_Lev)
  1. FLOW-LOOKUP - [] - Check for existing connections, if none found
  create a
  new connection.
  2. UN-NAT - [static] -
  2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
  3. ACCESS-LIST - [log] - ACL Lookup
  4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
  5. IP-OPTIONS - [] -
  6. NAT - [rpf-check] -
  7. NAT - [host-limits] -
  8. IP-OPTIONS - [] -
  9. FLOW-CREATION - [] - If everything passes up until this point a
  connection
  is created.
  10. ROUTE-LOOKUP - [output and adjacency]
  access-list OUTSIDE-IN permit tcp any host eq 443 - suggested by you
  but if i go by the flow which i come to know it should be like
  access-list OUTSIDE-IN permit tcp any host eq 443
  What is your opion ?
  Thanks
  Jagdev

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• How to configure Multiple static NATs

  Hi,
  I am trying to configure a Cisco 871 router.
  I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
  I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
  I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
  I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
  Thanks in advance for any help.

  You can execute multiple apply processes ( parallel parameter ). It is pretty much scalable.
  There is one thing why 2 propagate processes can be helpfull: I consulted one client with different reqs for replication delivery for different tables. In this case you can create 2 propagate processes in different schemas (with different db links).
  For maitainence point of view one propagation and one apply is better
  Regards,
  SergeR

• Static-nat and vpn tunnel bound traffic from same private address?

  Hi guys,
  I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
  For this local host @192.168.0.250, I also have a static one-to-one private to public.
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
  As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
  How can I resolve this problem, without complicating the setup ?
  BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
  Phase: 1
  Type: CAPTURE
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         outside-50
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.0.0     255.255.255.0   mgmt-192
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group mgmt_intf in interface mgmt-192
  access-list mgmt_intf extended permit icmp any any 
  access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT-EXEMPT
  Subtype: 
  Result: ALLOW
  Config:
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
      NAT exempt
      translate_hits = 5, untranslate_hits = 0
  Additional Information:
  Phase: 9
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
  nat-control
    match ip mgmt-192 host 192.168.0.250 outside-50 any
      static translation to 216.9.50.250
      translate_hits = 25508, untranslate_hits = 7689
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
  nat-control
    match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
      static translation to 192.168.0.0
      translate_hits = 28867754, untranslate_hits = 29774713
  Additional Information:
  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 1623623685, packet dispatched to next module
  Result:
  input-interface: mgmt-192
  input-status: up
  input-line-status: up
  output-interface: outside-50
  output-status: up
  output-line-status: up
  Action: allow
  BurlingtonASA1# 
  Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
        access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
        local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
        remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
        current_peer: 216.9.62.4
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 37CA63F1
        current inbound spi : 461C843C
      inbound esp sas:
        spi: 0x461C843C (1176273980)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3914997/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x003FFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x37CA63F1 (936010737)
           transform: esp-aes-256 esp-sha-hmac no compression 
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 77398016, crypto-map: map1
           sa timing: remaining key lifetime (kB/sec): (3915000/25972)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap: 
            0x00000000 0x00000001

  Hi
  intersting VPN ACL
  object-group network DM_INLINE_NETWORK_18
       network-object YYY.YYY.YYY.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_22
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
  Static NAT
  static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
  No NAT
  object-group network DM_INLINE_NETWORK_20
  network-object UUU.UUU.UUU.0 255.255.255.0
  access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
  VPN CLient Pool
  No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
  I hope this helps
  Thanks

• NAT issue - (over same link) static-NAT works but PAT (for rest of hosts) does not !

  Hello fellow engineers!
  I have a puzzling situation implementing an Internet routing pilot project and I need someone with a fresh look at the matter because I cannot make-out what the problem is…
  Scenario description:
  2901 router with two (one used) DSL intf’s on board and its two GE ports connected to a switch via Port-Channel sub-int’f (router-on-a-stick is implemented).    The router has two other WAN (Internet) connections via a Satelite link and a MetroEthernet link.   These two are terminated on the switch on intf’s at the appropriate VLAN’s.   At attached topology scheme I depict them all collocated on the router for “simplicity” (logical topology) since the router has intf’s at the corresponding networks.   The aDSL and Metro links have an 8-IP public set, each.
  Most servers/hosts utilize VLAN 10 (int port-channel 1.10) but they need to forward their internet traffic to corresponding Internet links so PBR is used.    VLAN/subnet (all /24) pairs are:
  VLAN 11 -> 10.0.1.x
  VLAN 12 -> 10.0.2.x
  VLAN 13 -> 10.0.3.x
  VLAN 71 -> 192.168.17.x
  VLAN 204 -> 172.16.204.x
  and – last but not least ! – VLAN 10 -> 10.0.0.x
  All servers use static 1-1 NAT while all other hosts/PC’s use the Metro link (PAT).
  Situation: All PBR rules and static NAT’s of VLAN 10 behave as expected.   So does the PAT for hosts of all other VLAN’s (11, 12, 13, …).   The rest of the hosts of VLAN 10, i.e. PC’s with IP’s 10.0.0.x (in red), cannot get to the Internet !
  What is puzzling is that traffic is matched (by ACL) and NAT does occur but all I see (via “sh ip nat tra”) are the translations of the DNS requests !   Nothing else !   To top that, tracerouting a public IP does lead to the target but when hitting that same public IP (not by name) on the browser can’t load the page !
  Could pls someone spot what I’m missing !!
  To help you I also attach the router config and some command outputs…
  All help is appreciated.
  Thanx
  Costas

  That last PBR statement
  (route-map 10.0.0.X_hosts_PBR permit 70
   description *** rest of 10.0.0.x net --> Oxygen ***
   match ip address rest_of_10.0.0.x
   set ip next-hop 212.251.64.153)
  was not there in the first place - I got it there assuming it would help but it didn't.   Actually - as mentioned - it does not get any hits !
  (route-map 10.0.0.X_hosts_PBR, permit, sequence 255
    Match clauses:
      ip address (access-lists): rest_of_10.0.0.x
    Set clauses:
      ip next-hop 212.251.64.153
    Policy routing matches: 0 packets, 0 bytes)

• Static NAT with two outside interfaces

  I have a router, which performs NAT on two outside interfaces with load balancing and had a task to allow inbound connection to be forwarded to the specific host inside on a well known port.
  here is example
  interface Fas0/0
  ip nat outside
  interface Fas0/1
  ip nat outside
  interface Vlan1
  ip nat inside
  ip nat inside source route-map rm_isp1 pool pool_isp1
  ip nat inside source route-map rm_isp2 pool pool_isp2
  all worked fine
  then i tried to add static nat
  ip nat inside source static tcp 10.0.0.1 25 interface Fas0/0 25
  ip nat inside source static tcp 10.0.0.1 25 interface Fas0/1 25
  and in result only last static NAT line appeared in config.
  the solution was to use interface's IPs instead of names. that helped but isn't that a bug?

  In this scenario, we are trying to access a mail server located at
  10.0.0.1 from outside and we have two outside IP, let's say, 71.1.1.1 and
  69.1.1.1.
  With CEF Enabled
  Packet comes in to Fa0/0 interface with Source IP 66.x.x.x and
  Destination IP 71.1.1.1. Our NAT rule translates this to 10.0.0.1.
  Packet goes to 10.0.0.1. The return packet goes to the LAN interface
  first and the routing rule is determined *before* the packet is
  translated.
  Packet source IP at this point is 10.0.0.1 and destination is
  66.x.x.x. Now, based on CEF, it will go out via Fa0/0 or Fa0/1,
  irrespective of the way it came in. Because of this, with CEF enabled
  this will not work. CEF is per-destination.
  So, let's say somebody on outside tried to access this server using 71.1.1.1, then he would
  expect a reply from 71.1.1.1 which may or may not be true as the traffic could be Nat'd to 69.1.1.1 or 71.1.1.1.
  If it gets reply packet from 71.1.1.1, it should work.
  If it gets it from 69.1.1.1, it will simply drop it as it never sent a
  packet to 69.1.1.1.
  With CEF and Fast Switching Disabled
  Same steps as above, only that the packet is sent to the process level
  to be routed. At this point, the packets will be sent out in a round
  robin fashion. One packet will go out via the Fa0/0 and the other via the
  Fa0/0. This will have a constant 50% packet loss and is also not a
  viable solution.
  So, what are you trying to achieve is not possible on Cisco router.
  HTH,
  Amit Aneja

• Static NAT - VPN - Internet Access

  Does anyone know how to configure the following?
  1.  An static NAT from an inside ip address to another inside ip address (not physical subnet).
  2.  The traffic static Natted at the step 1 need to go into a tunnel VPN and at the same time to have internet access.
  My router just have two interfaces a WAN and a LAN.
  I just created the VPN, the static NAT and the PAT for other users of the subnet to have internet access, but the traffic static Natted just goes over the ipsec tunnel but cannot have internet access.
  I tried to apply a route map after the static nat command but since i do not have a physical interface in the same subnet were i am translating the route-map is not applied to the static nat command.
  in an extract:
  LAN traffic (specific server) --->> static nat to inside not real subnet --->> traffic goes over Tunnel (OK), but no internet access.
  BTW.  I need to configure the nat before de ipsec tunnel because both lan subnets of the ipsec tunnel endpoint are the same.

  Why do you need an inside host to be natted to another inside IP address?
  You need to configure a "no nat" policy, for the internet traffic.

• Static NAT not working

  Hi,
  I'm configuring a 1841 router with 4-port FE WIC card.
  Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.
  I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.
  In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.
  My config follows. Am I missing something? Hope someone can help me.
  Thanks in advance.
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
  ip address 10.10.10.1 255.255.255.248
  duplex auto
  speed auto
  interface FastEthernet0/1
  description $ETH-LAN$
  ip address 192.168.2.2 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0/0
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  ip address 192.168.0.6 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
  ip nat inside source list 1 interface FastEthernet0/1 overload
  ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23
  ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900
  access-list 1 remark SDM_ACL Category=2
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 2 remark SDM_ACL Category=2
  access-list 2 permit 192.168.0.18 0.0.0.128

  Albert
  It looks to me like your NAT is working. I get similiar results in my NAT table.
  2600_connect#sh ip nat trans
  Pro Inside global Inside local Outside local Outside global
  1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388
  2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274
  3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---
  Line 1) is a dynamic translation from inside to outside for ping.
  Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)
  to 172.16.1.9 (which gets Natted to 10.15.1.3)
  Line 3) is the permanent static translation that gets entered when from the
  config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"
  Relevant Router config
  ======================
  interface FastEthernet0/0
  description Connection to CR02
  ip address 10.15.1.1 255.255.255.240
  ip nat inside
  ip pim dense-mode
  no ip route-cache
  speed 100
  full-duplex
  interface FastEthernet0/1
  description Connection to P1
  ip address 172.16.1.9 255.255.255.248
  ip nat outside
  ip pim dense-mode
  no ip route-cache
  speed 100
  full-duplex
  router eigrp 20
  redistribute connected
  redistribute static
  network 10.0.0.0
  network 172.16.0.0
  no auto-summary
  ip nat inside source list 1 interface FastEthernet0/1 overload
  ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23
  ip classless
  access-list 1 permit 10.15.1.0 0.0.0.15
  =====================
  Are you sure it is a natting problem ?
  Jon

• Dynamic PAT and Static NAT issue ASA 5515

  Hi All,
  Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
  - Bhal

  Hi,
  I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
  The very basic configured for Static NAT and Default PAT I would do in the following way
  object network STATIC
  host
  nat (inside,outside) static dns
  object-group network DEFAULT-PAT-SOURCE
  network-object
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
  This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
  You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
  https://supportforums.cisco.com/docs/DOC-31116
  Hope this helps
  - Jouni

• NAT 8.6 multiple subnets in a single static NAT

  Hello all, I have this question, probably pretty an easy to answer, but unfortunately I can't test it myself in a production environment right now.
  Do you know if is possible to have in ASA 8.6 a Static NAT rule with multiple subnets in both object groups. I currently have one to one subnet translation, but I need to add another two subnets.
  Today's configuration is this
  *** FROM ONE SUBNET TO ANOTHER ***
  object-group network REGIONAL-SOURCE
  network-object 10.1.1.0 255.255.255.0
  object-group network REGIONAL-NAT
  network-object 10.1.201.0 255.255.255.0
  nat (Outside,Inside) after-auto source static REGIONAL-SOURCE REGIONAL-NAT dns
  What I need to accomplish is add two new subnets, but I want to see if is possible to do it using the same NAT rule, just adding the new 2 subnets.
  10.1.2.0/24 natted to 10.1.202.0 255.255.255.0
  10.1.3.0/24 natted to 10.1.203.0 255.255.255.0
  *** TWO MORE SUBNETS ARE NEEDED ***
  object-group network REGIONAL-SOURCE
  network-object 10.1.2.0 255.255.255.0
  network-object 10.1.3.0 255.255.255.0
  object-group network REGIONAL-NAT
  network-object 10.1.202.0 255.255.255.0
  network-object 10.1.203.0 255.255.255.0
  If this is not possible I understand separate objects should be created with individual nat, I appreciate your comments and help.

  Hi,
  This should be no problem. It should work as you have thought.
  I tested the configurations on my own ASA
  object-group network REGIONAL-SOURCE
  network-object 10.1.1.0 255.255.255.0
  network-object 10.1.2.0 255.255.255.0
  network-object 10.1.3.0 255.255.255.0
  object-group network REGIONAL-NAT
  network-object 10.1.201.0 255.255.255.0
  network-object 10.1.202.0 255.255.255.0
  network-object 10.1.203.0 255.255.255.0
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Here at the results of the "packet-tracer" to show the translations
  ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.1.100/12345 to 10.1.201.100/12345
  ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.2.100/12345 to 10.1.202.100/12345
  ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.3.100/12345 to 10.1.203.100/12345
  As you can see, everything is fine
  Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• ASA 8.2 - Static NAT and Dynamic NAT Policy together

  Hello community,
  I have the following problem using a ASA with version 8.2.
  1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
  2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
  so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
  PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
  Thanks for your reply and help!

  Hello community,
  I have the following problem using a ASA with version 8.2.
  1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
  2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
  so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
  PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
  Thanks for your reply and help!