Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Issue

Hi Experts,

 

One of my office have Cisco ASA 5510 with ios 8.4(5). Everything is configured and working fine except the static NAT. I have a block of public IP, which I used to configure static NAT.  The internal server which is configured with static NAT is not getting internet or anything. When I removed the static NAT, the internet is getting (through WAN interface IP). The server is placed in the DMZ. I have allowed everything to the server but it is not working.

 

Regards,

EJAZ

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, In your case the format

Hi,

 

In your case the format for configuring Static NAT for the server would be

 

object network <object name>
 host <server local ip>
 nat (DMZ,Outside) static <public ip address> dns

 

This would bind the local IP address to the public IP address configured on the "nat" command. This would mean that outbound connections would also use this public IP address. If you had a similiar Static PAT configuration already then you would not really need that UNLESS you are changing the mapped/local port in the "nat" command.

 

But configuring the Static NAT would already mean that it would override the Dynamic PAT for outgoing connections from this server. Naturally there is a small chance depending on your current complete NAT configuration that even this Static NAT might be overridden but I doubt it. If the above "packet-tracer" is for the DMZ server in question then there should be no problem.

 

- Jouni

19 REPLIES
VIP Green

Would help to see your ASA

Would help to see your ASA configuration to identify where the problem is. 

Static NAT can be configured as follows:

object network SERVER
  host 10.10.10.1
  nat (inside,outside) static 11.11.11.1 tcp 80 80

or

object network SERVER
  host 10.10.10.1

object network SERVER-NAT
  host 11.11.11.1

object service WEB
 service tcp destination eq www

nat (inside,outside) source static SERVER SERVER-NAT service WEB WEB

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Thank you for the

Hi Marius,

Thank you for the reply. Please see attached my conifug file.

Please note that I have three servers which configured with static NAT, that are: 172.16.34.1, 172.16.34.2 and 172.16.34.3

Issue with 172.16.34.2 and 172.16.34.3 (Static NAT is not working for these server)

 

Regards,

Ejaz

VIP Green

Could you please run the

Could you please run the following packet tracer and post the output here

packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail

This should give us an indication of what is causing the packet to drop.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius, Please see below

Hi Marius,

 

Please see below the output:

ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail ?

  xml  Output in xml format
  <cr>
ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 172.16.34.2 80 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac0381c0, priority=1, domain=permit, deny=false
        hits=16053, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.34.0     255.255.255.0   DMZ

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac69f910, priority=13, domain=permit, deny=false
        hits=0, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=873, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=289, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaca29438, priority=50, domain=ids, deny=false
        hits=393, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=527, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
 nat (DMZ,Outside) static 23.30.88.140 service tcp www www
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Regards,

Ejaz

VIP Green

Could you please run the

Could you please run the packet tracer again, but this time exchange the 172.16.34.2 address with the translated (public) IP.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Please see the

Hi Marius,

Please see the below output, I have changed the IP with Nated Public IP:

 

ASA5510# packet-tracer input outside tcp 4.2.2.2 12345 x.x.x.x 80 detail

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
 nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
NAT divert to egress interface DMZ
Untranslate x.x.x.x/80 to 172.16.34.2/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_DMZ_ACCESS_IN_ACL in interface Outside
access-list OUTSIDE_DMZ_ACCESS_IN_ACL extended permit tcp any object UCALLTEL-DMZ-A2BILLING01-172.16.34.2 eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac69f910, priority=13, domain=permit, deny=false
        hits=2, user_data=0xa9862c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=7296, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf133240, priority=70, domain=inspect-http, deny=false
        hits=358, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaca29438, priority=50, domain=ids, deny=false
        hits=701, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2d6908, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=2432, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network NAT-INET-UCALLTEL-A2BILLING01-WWW
 nat (DMZ,Outside) static x.x.x.x service tcp www www
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xac4e6ba0, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0xac4e5d88, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=172.16.34.2, mask=255.255.255.255, port=80, dscp=0x0
        input_ifc=Outside, output_ifc=DMZ

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=987, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=812, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=4656, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31936, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

 

Regards,

Ejaz

VIP Green

As per the packet tracer the

As per the packet tracer the traffic flow is allowed through the ASA.  Have you made sure that the Server is correctly configured? and if that traffic is being switched / routed corrected from the ASA to the server?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius, Thank you for the

Hi Marius,

 

Thank you for the reply. As of now our devoplment team is working with server and it is not connected to the network. Once it is connected I will let you know the status.

 

Also can you give advise on the below issue:

In the same firewall configuration like I earlier mentioned, there is no NAT issue with the server 172.16.34.1. Only certain ports are forwarded to the server. I can connect the SIP with NATed public IP to this server and everything working fine for inbound traffic. But when a connection is going from the server (ie outbound) the server is using firewall's WAN interface IP instead of its NAT IP. Why it is going like that? How can we change that?

 

Regards,

Ejaz

Super Bronze

Hi, You say that you have

Hi,

 

You say that you have forwarded the required ports to the server so that inbound connections from the external networks can reach the server but that the problem is when the server opens outbound connections to the external networks? It uses a different public IP address?

 

The main question here is if any other device uses the public IP address that you have used to forward the ports (Static PAT)? If the public IP address used in the Static PAT configurations for the server is only used for that specific server then you should really change the Static PAT to Static NAT which would in turn mean that the server would use that public IP address for ALL outbound connections. At the same time it would also allow connections on any port inbound for the server (What is allowed is naturally determined by your interface ACL but what I mean is that you would not need any additional NAT configurations to allow connections to some port, only the ACL rule)

 

Hope this helps :)

 

- Jouni

New Member

Hi Jouni,Thank you for the

Hi Jouni,

Thank you for the reply.

 

The NATed IP is only using by the server.

Let me know for any further queries.

 

Regards,

Ejaz

VIP Green

When you say going outbound

When you say going outbound do you mean internet traffic?

You could run the packet-tracer again to see which NAT it is matching ( my assumtion is that it is matching the dynamic NAT statement you have configured).

packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail

I am thinking that the NAT statement is trying to match on the source port, and since the PC is sending with a random high port number it wont match and will therefore default to the dynamic NAT statement.

Also could you post your configuration again...I do not see it where you posted it earlier.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Please see below output:

Hi

 

Please see below output:

 

ASA5510# packet-tracer input outside tcp 172.16.34.2 12345 4.2.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.34.0     255.255.255.0   DMZ

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

Also I have attached the configuration file.

 

Regards,

Ejaz

 

VIP Green

Sorry I was a little fast

Sorry I was a little fast with my copy/paste. Could you please re-run the packet tracer.

packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius, Please see the

Hi Marius,

 

Please see the below output;

ASA5510# packet-tracer input DMZ tcp 172.16.34.2 12345 4.2.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_ACCESS_IN_ACL in interface DMZ
access-list DMZ_ACCESS_IN_ACL extended permit tcp object UCALLTEL-DMZ-172.16.34.0 any eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac8f43a8, priority=13, domain=permit, deny=false
        hits=70, user_data=0xa9861c80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=172.16.34.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac0ef7b8, priority=0, domain=inspect-ip-options, deny=true
        hits=3138, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaf10e9e0, priority=70, domain=inspect-http, deny=false
        hits=71, user_data=0xaf132770, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaee1b6b8, priority=50, domain=ids, deny=false
        hits=779, user_data=0xaf58bd60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network UCALLTEL-DMZ-172.16.34.0
 nat (DMZ,Outside) dynamic interface
Additional Information:
Dynamic translate 172.16.34.2/12345 to x.30.x.x/12345
 Forward Flow based lookup yields rule:
 in  id=0xac498108, priority=6, domain=nat, deny=false
        hits=43994, user_data=0xac497728, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.16.34.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xaf118a48, priority=0, domain=user-statistics, deny=false
        hits=14402, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=Outside

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xac03ccb0, priority=0, domain=inspect-ip-options, deny=true
        hits=17760, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=Outside, output_ifc=any

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xaf119ad8, priority=0, domain=user-statistics, deny=false
        hits=3397, user_data=0xaf144310, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=DMZ

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 139995, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

 

Regards,

Ejaz

Super Bronze

Hi, In your case the format

Hi,

 

In your case the format for configuring Static NAT for the server would be

 

object network <object name>
 host <server local ip>
 nat (DMZ,Outside) static <public ip address> dns

 

This would bind the local IP address to the public IP address configured on the "nat" command. This would mean that outbound connections would also use this public IP address. If you had a similiar Static PAT configuration already then you would not really need that UNLESS you are changing the mapped/local port in the "nat" command.

 

But configuring the Static NAT would already mean that it would override the Dynamic PAT for outgoing connections from this server. Naturally there is a small chance depending on your current complete NAT configuration that even this Static NAT might be overridden but I doubt it. If the above "packet-tracer" is for the DMZ server in question then there should be no problem.

 

- Jouni

New Member

Hi Jouni, Great help!!!!! It

Hi Jouni,

 

Great help!!!!! It worked.

Now the server connections are going with NATed Public IP.

Thank you so much for your help.

I have one more issue that need to be resolved. Some other teams are currently working on the server, once they have done with server I need to check on that.

Marius also helping me on that.

 

Regards,

Ejaz

New Member

Hi Jouni,Really appreciate

Hi Jouni,

Really appreciate for the replies.

 

You can check the configuration file I have attached

 

Regards,

Ejaz

New Member

Hi Jouni,We still have the

Hi Jouni,

We still have the issue :(

I have configured three static NAT in the firewall, only one is working correctly.

When I remove the static NAT of other two, the connections from the server is going with WAN IP and everything working.

 

With the static NAT, no traffics are going outside from the two servers(having issue).

Please help

 

Regards,

Ejaz

 

New Member

Hi Marius,From the output it

Hi Marius,

From the output it is showing that the connection is going outside with firewall's interface IP. I have configured the command which is provided byJouni Forss.

Now the outbound connection from the server also going with the NATed public IP. Thank you so much for the help. I really appreciate for the help

 

Ejaz

 

 

173
Views
5
Helpful
19
Replies
CreatePlease to create content