NAT working but PAT not.

Unanswered Question
Sep 27th, 2010
User Badges:

With the below given configuration on my pix firewall, NAT is working properly and three local ip get mapped to x.x.x.43-45 public ips but PAT is not working.

ip address ouside x.x.x.42

ip address inside

global(outside) 1 x.x.x.43-x.x.x.45

global(outside) 1 x.x.x.46

nat (inside) 1 0 0

      Whats wrong with my entries, please lead me in right direction.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Diego Armando C... Mon, 09/27/2010 - 10:10
User Badges:
  • Bronze, 100 points or more

Your PAT configuration seems to be the right.

Could you add a show run interface and a show run nat and a show run global?

Just to check everything.

Jay Johnston Mon, 09/27/2010 - 11:11
User Badges:
  • Cisco Employee,


     When inside hosts are subjected to NAT on the firewall, the firewall will first try to exhaust the one-to-one mapping specified by your range of global IPs. Only when a fourth inside host attempts a connection outbound will the firewall create a PAT translation. You said you had three inside PCs, and that would account for why the PAT entry is not being used.

Basically, the firewall only uses the dynamic PAT ips if it must, and tries to use the static nat entries if there are some free.

- Jay

Diego Armando C... Mon, 09/27/2010 - 14:07
User Badges:
  • Bronze, 100 points or more

ishesh kumar do you have only 3 host in the inside. If that so you do not need the PAT because every host has an ip available the PAT in this case is gonna work when the pool is full. Just like Jay said

vnix18227 Mon, 09/27/2010 - 21:02
User Badges:

No my network not have only three host but more than 15 host are there. Since i have only four public ips so i can't use one to one NAT .


Jay Johnston Tue, 09/28/2010 - 06:18
User Badges:
  • Cisco Employee,


The output of 'show xlate' or 'show xlate detail' (depending on the ASA version) would indicate what xlates are built using which global IPs.

Also, checking the syslogs for messages around the time that the hosts attempt an outbound connection might show more about what is going wrong.

- Jay


This Discussion

Related Content