Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to PAT


We are using ASA 7.1(2). I am unable to make dynamic translation in the firewall, it prompts me with error "INFO: Global address overlaps with NAT exempt configuration".

Now I have Nat 0 configured by calling respective extended acl on specific source and destination [nat (inside) 0 access-list nonatinside] and no where there is a match to later addresses.

Can anyone pl. let me know the sequence taken by NAT translation in ASA.

Request you kind help.




Re: Unable to PAT


Can you post your current config - as there would appear to be a config error.


New Member

Re: Unable to PAT

Hi Andrew

The problem is resolved for NAT... Now one more issue came up ie if we have an acl nonatinside for icmp permit any any in acl created for nat 0 then the inside address are not nating but as soon as we remove icmp permit acl from the nonatinside acessgroup it starts working for me.....

Can anyone help in guiding this in detail.

- Piyush(on behalf of amol)

Re: Unable to PAT

post your no-nat and your static and dynamic nat statements for review?

New Member

Re: Unable to PAT


global(outside) 13 x.x.x.x netmask

nat (inside) 0 access-list nonatinside

nat (inside) 13 access-list testing

access-list testing extended permit ip object-group inside-users object-group mpls-destination

access-list nonatinside extended permit ip host host

access-list nonatinside extended permit icmp any any echo

access-list nonatinside extended permit icmp any any echo-reply

Now the scenario is that we have 2 different locations. When 1 site comunicates with the other site the traffic shoudnt be batted as it goes through metroethernet. But when the inside user needs to access the traffic that is on internet it should be natted.

What happens is that the traffic for the internet host doesnt get natted... to get it natted i need to place a deny acl above the icmp acl in nonatinside for that particular internet destination. Which shouldnt happen as there is a default deny at the end of acl if the traffic doesnt match it should get nat to go outside internet host on mpls. But as soon as i remove the icmp acls from nonatinside acl everything works fine....

So my question is that is the icmp acl which is creating the problem. I know that icmp acl is not required in nonatinside acl but still as itss for icmp it shouldnt affect the ip traffic.

--- Piyush

New Member

Re: Unable to PAT

no replies from anyone......