01-15-2014 09:32 AM - edited 03-11-2019 08:30 PM
Hi Guys,
We have a public IP pool with /24 mask and we have .14 is being used for dynamic-nat on ASA for a set of inside hosts.
Now, our other firewall admin introduced a second dmz2 interface (with ip: 192.168.75.1/24) and set up a static-nat for all hosts on subnet 192.168.75.0/24 to access the Internet.
Now the issue I face with is that as soon as that static-nat was in place, the dynamic-nat stop working and all hosts being the subnet
10.96.0.0/11 cannot access the internet and this is happening on ASA version 8.4(5). Is this normal?
object network net-10.96.0.0-11
subnet 10.96.0.0 255.224.0.0
nat (Internal,outside) dynamic 205.xxx.xxx.14
object network CVH-AD-TEST-LAB1
subnet 192.168.75.0 255.255.255.0
nat (dmz2,outside) static 205.xxx.xxx.30
Thanks
Rizwan Rafeek.
01-15-2014 09:51 AM
Hi,
I am quite not sure why the 2 would have anything to do with eachother. They specifically mention the source and destination interface and also the source network.
Can you confirm with "packet-tracer" that a packet through the ASA would be dropped from the Internet network?
Also, there is no real reason to configure the translation as "static". You should "dynamic" in both as you are attempting to configure Dynamic PAT.
- Jouni
01-15-2014 10:43 AM
Hi Jouni,
Thank you very much for your reply.
"You should "dynamic" in both as you are attempting to configure Dynamic PAT."
I could not agree with you more on the above line, but you know not all firewall admin have same level of understanding as to, what need to be done for given a funtion unfortunately.
Yes did a packet-tracer traversing from interenal to outside, destined to a public address such as 4.2.2.2 and it was a complete pass.
I don't have any answer, why this would break the dynamic-nat.
thanks
01-15-2014 11:09 AM
Hi,
Could it be that there were also some other configurations made that could have caused this?
Then again you say that the "packet-tracer" test goes through just fine so its pretty strange.
Did you see a Dynamic PAT translation for that traffic in the output? Did it match the configuration you were expecting?
I simple enough firewall environments I tend to configure Dynamic PAT like this for ALL the internal networks
object-group network PAT-SOURCE
network-object
network-object
network-object
network-object
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
Just a basic Dynamic PAT that uses the public IP address on the "outside" interface and accept the source addresses specified inside the "object-group" and the source interface for them can be "any" (so that we can do Dynamic PAT with one command to all of the internal interfaces)
I am not sure if there is a bug involved with your problem. I had an ASA with 8.4 software just stop performing NAT even though it was using a NAT Pool + PAT overload. It went through the pool and ignored the PAT for no obvious reason.
I am not sure would a reload at some point help at all or trying other NAT configurations for the Internal interface if its not working at all at the moment.
Have you been able to determine anything from device logs while attempting connection?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide