1 Reply Latest reply: Feb 11, 2019 3:37 AM by Sergey RSS




      1. When the file server with the inside local address of goes to the outside, it uses the auto NAT rule that translates the address to the ASA's outside interface ( via PAT.

      2. When a device on the outside goes to, that traffic is sent to the server (new traffic flow that is unrelated to the flow initiated by the file server)


      PROCEDURE: Attempted to do this using object NAT and then an after-auto manual NAT statement:


      object network NETWORK_10.100.0.0_24


      nat (any, OUTSIDE) dynamic interface

      object network HOST_10.100.0.3


      object network HOST_10.0.0.51



      nat (OUTSIDE,INSIDE) after-auto source static any any destination static HOST_10.0.0.51 HOST_10.100.0.3


      access-list OUTSIDE_access_in extended permit ip any object HOST_10.100.0.3

      access-group OUTSIDE_access_in in interface OUTSIDE


      PROBLEM: the file server is still using the address instead of the address. I would assume that since the static NAT entry specifically calls to be after the auto NAT that this would make it so traffic sourced from the file server to the outside would translate to and traffic sourced from outside towards the file server would have to reach but this isn't what is actually happening. When I do a packet-tracer in the CLI, I notice the static NAT entry is invoked which has me confused as to why.


      Any ideas where I'm going wrong here? Just trying to get a better grasp on this. Thanks.

        • 1. Re: ASA NAT



          You are correct, because the auto NAT statement is higher up in the list, the return traffic from server will always hit it first and will use auto NAT. I think the best you can do is create a specific NAT entry for a port on the server and place it higher up. So, that if traffic is originating from a certain port, which typically will be only in response to client request, then use address .51. And the default will be caught by your auto NAT entry.