The "manual nat" is also called "twice nat". The "auto nat" is also called "object nat". With your config you're trying to do object NAT. If you look at the "show nat" output it'll tell you the order in which your statements are processed. Also if you use packet-tracer it'll tell you what the full result of the flow is, and whether or not the translation happened correctly.
Which is your private address you're trying to come from and what's the public address you're trying to translate to? If I'm reading your statements correctly then you have the order backwards in your config.
Brian McGahan, 4 x CCIE #8593 (R&S/SP/SC/DC), CCDE #2013::13
bmcgahan_at_INE.com
B
Internetwork Expert, Inc.
http://www.INE.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Henrique Reis
Sent: Wednesday, July 31, 2013 9:31 AM
To: Myung-Soo Ko
Cc: Marc La Porte; Ryan West; Sadiq Yakasai; Cisco certification
Subject: Re: NAT question on ASA 8.3 or above
Myung,
On version pos 8.3 the NAT id divided in the 3 sections and each section have your priority over the other.
Bellow are the sections:
Manual NAT Policies (Section 1)
Auto NAT Policies (Section 2)
Manual NAT [with command "after auto"] Policies (Section 3)
Please see if you donB4t have any manual NAT.
Thanks,
Henrique Reis
On Wed, Jul 31, 2013 at 11:06 AM, Myung-Soo Ko <bacchus21_at_gmail.com> wrote:
> Hello, all
>
> Thank you so much for the replies.
>
> I don't have any other NAT statements. If you say the order could be
> important, which one should come first? Please advise.
>
> Regards,
> ----------------------------------------------
> "An open mind opens doors."
> e$"c�/d?!c��c�&c��c��c�0e?�c��e�6c��o<�o<�o<�
> Myung-Soo Ko (i+� f��f4�)
>
>
> On Wed, Jul 31, 2013 at 10:56 PM, Marc La Porte
> <marc.a.laporte_at_gmail.com
> >wrote:
>
> > Do you have other types of NAT statements, as then the order could
> > be important
> >
> > On Wed, Jul 31, 2013 at 2:51 PM, Ryan West <rwest_at_zyedge.com> wrote:
> >
> >> Probably have a dynamic nat before your static. Does it work for
> inbound,
> >> but not outbound?
> >>
> >> Sent from handheld.
> >>
> >> On Jul 31, 2013, at 8:31 AM, "Sadiq Yakasai" <sadiqtanko_at_gmail.com>
> >> wrote:
> >>
> >> > Hi Myung-Soo,
> >> >
> >> > Your config looks good to me. See below a similar one I tested
> >> > some
> time
> >> > back.
> >> >
> >> > Perhaps something else on the configuration is interfering here?
> >> > Can
> we
> >> see
> >> > full configuration?
> >> >
> >> > HTH,
> >> > Sadiq
> >> >
> >> > ASA5585(config)#
> >> > ASA5585(config)#
> >> > ASA5585(config)# sh run obje
> >> > ASA5585(config)# sh run object
> >> > object network NATTED_SUBNET
> >> > subnet 10.82.6.128 255.255.255.192 object network INSIDE_SUBNET
> >> > subnet 10.82.6.0 255.255.255.192 ASA5585(config)#
> >> > ASA5585(config)# ASA5585(config)# ASA5585(config)#
> >> > ASA5585(config)# sh run nat !
> >> > object network INSIDE_SUBNET
> >> > nat (inside,outside) static NATTED_SUBNET ASA5585(config)#
> >> > ASA5585(config)# ASA5585(config)# ASA5585(config)# sh nat
> >> >
> >> > Auto NAT Policies (Section 2)
> >> > 1 (inside) to (outside) source static INSIDE_SUBNET NATTED_SUBNET
> >> > translate_hits = 2804, untranslate_hits = 2785
> >> > ASA5585(config)# ASA5585(config)# ASA5585(config)# sh ver
> >> >
> >> > Cisco Adaptive Security Appliance Software Version 8.4(2)11
> >> > Device Manager Version 6.3(5)
> >> >
> >> >
> >> >
> >> >
> >> > On Wed, Jul 31, 2013 at 11:08 AM, Myung-Soo Ko
> >> > <bacchus21_at_gmail.com>
> >> wrote:
> >> >
> >> >> Hello, Group
> >> >>
> >> >> I'm currently working on NAT configuration on ASA 8.3, but my
> >> >> old configuration didn't work on newer version.
> >> >>
> >> >> I checked configuration guide and modified the following static
> >> >> NAT configuration.
> >> >> ================================================================
> >> >> ===== Old(pre 8.3): static (outside,inside) 10.1.1.1 192.168.1.1
> >> >> netmask
> >> >> 255.255.255.255
> >> >>
> >> >> New(8.3): object network obj-192.168.1.1
> >> >> host 192.168.1.1
> >> >> nat(outside, inside) static 10.1.1.1
> >> >> ================================================================
> >> >> ===== I think it's correct configuration, but it didn't work
> >> >> properly. Any correction? Please advise.
> >> >>
> >> >>
> >> >> I have another configuration need to be checked. Please refer to
> >> >> the following.
> >> >> ===========================================================
> >> >> object-group network CLIENTS_REAL network-object 172.16.0.0
> >> >> 255.255.0.0
> >> >>
> >> >> nat (inside,outside) source dynamic CLIENTS_REAL interface
> >> >> ===========================================================
> >> >> In this case, I think configuration should remain the same on
> >> >> pre 8.3
> >> and
> >> >> 8.3. Any opinion??
> >> >>
> >> >> It would be greatly appreciated if anyone can give me some advice.
> >> >>
> >> >> Regards,
> >> >> ----------------------------------------------
> >> >> "An open mind opens doors."
> >> >> e$"c�/d?!c��c�&c��c��c�0e?�c��e�6c��g�"i�9o<�o<�o<�
> >> >> Myung-Soo Ko (i+� f��f4�)
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> ______________________________________________________________________
> _
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> > --
> >> > CCIEx2 (R&S|Sec) #19963
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> ______________________________________________________________________
> _
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> ___________________________________________________________________
> >> ____ Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 31 2013 - 12:24:54 ART