Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
3
Replies

Static nat breaks dynamic nat, is normal ?

rizwanr74
Level 7
Level 7

‎01-15-2014 09:32 AM - edited ‎03-11-2019 08:30 PM

Hi Guys,

We have a public IP pool with /24 mask and we have .14 is being used for dynamic-nat on ASA for a set of inside hosts.

Now, our other firewall admin introduced a second dmz2 interface (with ip: 192.168.75.1/24) and set up a static-nat for all hosts on subnet 192.168.75.0/24 to access the Internet.

Now the issue I face with is that as soon as that static-nat was in place, the dynamic-nat stop working and all hosts being the subnet

10.96.0.0/11 cannot access the internet and this is happening on ASA version 8.4(5).  Is this normal?

object network net-10.96.0.0-11

subnet 10.96.0.0 255.224.0.0

nat (Internal,outside) dynamic 205.xxx.xxx.14

object network CVH-AD-TEST-LAB1

subnet 192.168.75.0 255.255.255.0

nat (dmz2,outside) static 205.xxx.xxx.30

Thanks

Rizwan Rafeek.

     

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2014 09:51 AM

Hi,

I am quite not sure why the 2 would have anything to do with eachother. They specifically mention the source and destination interface and also the source network.

Can you confirm with "packet-tracer" that a packet through the ASA would be dropped from the Internet network?

Also, there is no real reason to configure the translation as "static". You should "dynamic" in both as you are attempting to configure Dynamic PAT.

- Jouni

0 Helpful

rizwanr74
Level 7
Level 7
In response to Jouni Forss

‎01-15-2014 10:43 AM

Hi Jouni,

Thank you very much for your reply.

"You should "dynamic" in both as you are attempting to configure Dynamic PAT."


I could not agree with you more on the above line, but you know not all firewall admin have same level of understanding as to, what need to be done for given a funtion unfortunately.

Yes did a packet-tracer traversing from interenal to outside, destined to a public address such as 4.2.2.2 and it was a complete pass.

I don't have any answer, why this would break the dynamic-nat.

thanks






0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to rizwanr74

‎01-15-2014 11:09 AM

Hi,

Could it be that there were also some other configurations made that could have caused this?

Then again you say that the "packet-tracer" test goes through just fine so its pretty strange.

Did you see a Dynamic PAT translation for that traffic in the output? Did it match the configuration you were expecting?

I simple enough firewall environments I tend to configure Dynamic PAT like this for ALL the internal networks

object-group network PAT-SOURCE

network-object

network-object

network-object

network-object

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

Just a basic Dynamic PAT that uses the public IP address on the "outside" interface and accept the source addresses specified inside the "object-group" and the source interface for them can be "any" (so that we can do Dynamic PAT with one command to all of the internal interfaces)

I am not sure if there is a bug involved with your problem. I had an ASA with 8.4 software just stop performing NAT even though it was using a NAT Pool + PAT overload. It went through the pool and ignored the PAT for no obvious reason.

I am not sure would a reload at some point help at all or trying other NAT configurations for the Internal interface if its not working at all at the moment.

Have you been able to determine anything from device logs while attempting connection?

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card