Comments on: Cisco ASA NAT examples with software version 8.4

By: Muneeb

Muneeb — Thu, 27 Mar 2014 12:26:30 +0000

Michel, Thank you so much for writing
“don’t forget to place no-proxy-arp at the end of the NAT statement, otherwhise your Cisco ASA will answer on every ARP-Broadcast “YES THAT’S ME HERE IS MY MAC-ADDRESS!!!11111″ -.-”

This is exactly what was happening in my case. I could ping the devices but unable to connect on port 443 or 80 as the learned mac address was ASA interface for all the machines on same subnet and it was killing all my logics as I am not a cisco expert yet.

By: Michel

Michel — Wed, 19 Mar 2014 10:09:13 +0000

In reply to Ben.

Hi Ben,

I would try this:

object network GuestNetwork
subnet 192.168.1.0 255.255.255.0

object network Guest-WAN-IP
host 88.77.66.55

object network GuestNetwork
nat (guests,outside) static Guest-WAN-IP

By: Ben

Ben — Tue, 18 Mar 2014 15:22:48 +0000

Hi, I’m using version 8.6 and want to have a guest vlan which uses a different external IP for its NAT address.

Here’s my nat setup
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface translate_hits = 13818379, untranslate_hits = 551007

2 (Wifi_guest) to (Outside) source dynamic any EXT_wifiguest_29 translate_hits = 516, untranslate_hits = 0

The second policy gets some hits but does not work. If I change it to interface, rather than the network object of an external IP, it works.

By: Enabling passive FTP through Cisco ASA - Network Guy

Enabling passive FTP through Cisco ASA - Network Guy — Fri, 12 Oct 2012 09:06:42 +0000

[…] I explained 1:1 NAT (with example for PPTP passthrough) in this post you can also add more PAT just based on your access-list. I recognized a problem at one customer […]