ASA Dynamic NAT problems after config of statics

Unanswered Question
May 26th, 2010
User Badges:


I'm configuring a asa 5510.

I have a dynamic NAT rule configured:


global (outside) 1 interface

On the interface of the outside the IP adress is configured.

With only this config the PAT translation works between the inside and outside interface. inside network is the network.

If I try the packet trace with the inside address tot the outside interface

Now I configured an additional static nat entry on the inside interface to the outside interface.

static (inside,outside) netmask

The static is working, but the dynamic not more!?

It is not working according the packet trace, it fails in the nat translation.

Anyone encountered this problem? I'm running version 8.2(2).



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 05/26/2010 - 13:32
User Badges:
  • Green, 3000 points or more


If you remove the static it works again?

no static (inside,outside)

The static should not affect the dynamic NAT since the static only affects traffic to using IP

Can you try it again?


m.slotboom Wed, 05/26/2010 - 13:50
User Badges:

Yes correct.

when I remove the static it works again.

It must indeed not affect the dynamic rule, but some how it does.

I've tried a clear xlate but with no effect.

Best regards,


Federico Coto F... Wed, 05/26/2010 - 14:53
User Badges:
  • Green, 3000 points or more

If the outside IP of the ASA is, then using on the static NAT is no problem.

How about you try creating a different static using a different IP 192.168.1.x?  same result?


m.slotboom Thu, 05/27/2010 - 14:58
User Badges:

The problem is solved.

It was the syntax of the packet tracer.

it was not a physical problem.

When I do a packet trace from the ASDM for IP traffic

It sends a 'rawip' command, this doesn't work for a PAT translate.

Because a PAT translate needs udp or tcp ports before it can translate.

But I can't find it in any documentation and in the SNAF and SNAA courses it is not mentioned.

I found it after a TAC request to Cisco.




This Discussion