Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT/PAT overriding on ASA

Status
Not open for further replies.
marisi

marisi

Technical User
Apr 29, 2011
4
AU
Hello,

I currently have a static-nat statement which works fine. But I need to now add a static PAT statement for the same 2 IPs. Unfortunately because of the static NAT it is not hitting the static PAT statement.

For example:

static (inside,outside) 10.1.0.250 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp 10.1.0.250 8080 192.168.1.250 255.255.255.255

What's the best way to get around this problem?
Many thanks.
 
Sort by date Sort by votes
you need to remove the static NAT statement.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks unclerico for the suggestion.

However in this case I need to keep the static NAT in place for the other TCP sessions to work.
I only need to PAT 1 port to a different port on the internal side as per my previous post.

I was trying to use:

nat (Inside) 1 192.168.1.250 255.255.255.255
global (Outside) 1 10.1.0.250 netmask 255.255.255.0

static (inside,outside) 10.1.0.250 192.168.1.250 netmask 255.255.255.255

But the global statement with just 1 IP is doing dynamic PAT instead of NAT.

Thanks for any suggestions.
 
Upvote 0 Downvote
Why exactly do you want to NAT and PAT the same address?

Maybe if we understood what you are trying to accomplish with this we could help more, but when you have a static NAT the firewall is going to use it.
 
Upvote 0 Downvote
It is actually for a client who has a static NAT, but wants one of the ports to be forwarded to a different port on the inside..

Thus port 8080 connections to Outside interface needs to be forwarded to port 80 on the Inside host.
 
Upvote 0 Downvote
You'll want to do something like

static (inside,outside) tcp 10.1.0.250 8080 192.168.1.250 80 netmask 255.255.255.255

 
Upvote 0 Downvote
Indeed I tried :

static (inside,outside) tcp 10.1.0.250 8080 192.168.1.250 80 netmask 255.255.255.255

But this required me to remove the original static nat:
static (inside,outside) 10.1.0.250 192.168.1.250 netmask 255.255.255.255

Which meant rest of the traffic that was being translated no longer works....so essentially that did fix the problem, but broke everything else for that translation.
 
Upvote 0 Downvote
Then merely specify the other ports that need to go to other host

Where x equals the other ip


static (inside,outside) tcp 10.1.0.250 80 192.168.1.x 80 netmask 255.255.255.255

static (inside,outside) tcp 10.1.0.250 25 192.168.1.x 25 netmask 255.255.255.255


 
Upvote 0 Downvote
what firmware are you running on the ASA.

I have found the NAT / PAT on 8.4 totally horrible.

8.2.1 works the best

ACSS - SME
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
266
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
280
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
187
gkreg
gkreg
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
89
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top