Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT/PAT overriding on ASA

Status
Not open for further replies.

marisi

Technical User
Apr 29, 2011
4
AU
Hello,

I currently have a static-nat statement which works fine. But I need to now add a static PAT statement for the same 2 IPs. Unfortunately because of the static NAT it is not hitting the static PAT statement.

For example:

static (inside,outside) 10.1.0.250 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp 10.1.0.250 8080 192.168.1.250 255.255.255.255

What's the best way to get around this problem?
Many thanks.
 
you need to remove the static NAT statement.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Thanks unclerico for the suggestion.

However in this case I need to keep the static NAT in place for the other TCP sessions to work.
I only need to PAT 1 port to a different port on the internal side as per my previous post.

I was trying to use:

nat (Inside) 1 192.168.1.250 255.255.255.255
global (Outside) 1 10.1.0.250 netmask 255.255.255.0

static (inside,outside) 10.1.0.250 192.168.1.250 netmask 255.255.255.255

But the global statement with just 1 IP is doing dynamic PAT instead of NAT.

Thanks for any suggestions.
 
Why exactly do you want to NAT and PAT the same address?

Maybe if we understood what you are trying to accomplish with this we could help more, but when you have a static NAT the firewall is going to use it.
 
It is actually for a client who has a static NAT, but wants one of the ports to be forwarded to a different port on the inside..

Thus port 8080 connections to Outside interface needs to be forwarded to port 80 on the Inside host.
 
You'll want to do something like

static (inside,outside) tcp 10.1.0.250 8080 192.168.1.250 80 netmask 255.255.255.255

 
Indeed I tried :

static (inside,outside) tcp 10.1.0.250 8080 192.168.1.250 80 netmask 255.255.255.255

But this required me to remove the original static nat:
static (inside,outside) 10.1.0.250 192.168.1.250 netmask 255.255.255.255

Which meant rest of the traffic that was being translated no longer works....so essentially that did fix the problem, but broke everything else for that translation.
 
Then merely specify the other ports that need to go to other host

Where x equals the other ip


static (inside,outside) tcp 10.1.0.250 80 192.168.1.x 80 netmask 255.255.255.255

static (inside,outside) tcp 10.1.0.250 25 192.168.1.x 25 netmask 255.255.255.255


 
what firmware are you running on the ASA.

I have found the NAT / PAT on 8.4 totally horrible.

8.2.1 works the best

ACSS - SME
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top