Asa - maunal nat policy conflict
I have 2 ASA5510 devices running 8.3 (1)
On one of the ASA's I am running a AUTO NAT policy to dynamically NAT all my LAN addresses to a global address. I am then running a Manual Static NAT for a server on the LAN. With this setup, I have no problems whatsoever and NAT is working flawlessly.
However, on a second ASA, we had another guy set up a manual NAT policy to dynamically NAT the LAN subnet to a global address. When I set up my static NAT for the server I am not getting any hits on my NAT. And this server is actually being NAT'd by the original manual NAT policy.
Is there a way for me to get this working with 2 manual NAT Policies? Or do I just need to reconfigure the dynamic AUTO NAT policy and then create my manual policy?
I can provide configs if needed.
On one of the ASA's I am running a AUTO NAT policy to dynamically NAT all my LAN addresses to a global address. I am then running a Manual Static NAT for a server on the LAN. With this setup, I have no problems whatsoever and NAT is working flawlessly.
However, on a second ASA, we had another guy set up a manual NAT policy to dynamically NAT the LAN subnet to a global address. When I set up my static NAT for the server I am not getting any hits on my NAT. And this server is actually being NAT'd by the original manual NAT policy.
Is there a way for me to get this working with 2 manual NAT Policies? Or do I just need to reconfigure the dynamic AUTO NAT policy and then create my manual policy?
I can provide configs if needed.
Comments
-
flipmad
Member Posts: 184
I believe I have found the reason
My manual NAT policy is working because the static NAT is taking place in Section 1
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static INTNAT EXTNAT
translate_hits = 4654, untranslate_hits = 272
Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic internal x.x.x.x
translate_hits = 37869533, untranslate_hits = 3039098
But when I have the 2 Manual Policies. The dynamic NAT is already translating the address so it never even hits the static NAT policy
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any NAT
translate_hits = 22380064, untranslate_hits = 2091514
2 (inside) to (outside) source static INTNAT EXTNAT
translate_hits = 0, untranslate_hits = 77
Heres my solutions:
Remove the Dynamic Manual NAT and create an AUTO NAT poloicy like the one above.
Can I also delete the 2 Manual policies and just put the static NAT 1st and the dynamic next and it will change the order and basically giving the static NAT the "1" or first translation precedence? -
shednik
Member Posts: 2,005
If I'm reading what you have right then it's hitting NAT 1 and applying that NAT policy instead of it's static entry. Your plan should work, but flipping the order will work as well. I'd personally mirror the setup you used on your primary ASA.
HTH
joe