Static nat

Answered Question

Hello,


Static nat is not working if i use the same public IP as the Outside interface.


Configuration example :


ASA Version 7.2(2)


interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0


interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0


access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.57.0 255.255.255.0

access-list web extended permit tcp any host 1.1.1.1 eq www


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) 1.1.1.1 192.168.1.250 netmask 255.255.255.255


access-group web in interface outside

access-group inside_access_in in interface inside


route outside 0.0.0.0 0.0.0.0 1.1.1.3 1


----

If i change the outside IP address with 1.1.1.2, the static nat is working.


If i change the PIX version with 7.1(1) the static nat is working if use the same public Ip address.


What is the difference between the 7.1(1) and the 7.2(2) ?


Thanks for your help






Correct Answer by acomiskey about 9 years 10 months ago

What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.


no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255


Please rate helpful posts.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 08/13/2007 - 12:52
User Badges:
  • Green, 3000 points or more

Change it to this...


static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255


That should do the trick.


Please rate helpful posts.

Hello,


If i use this command :


static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255


Its working, but i have this warning message :


WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.


AND WEBVPN and VPN IPSEC CLIENT IS NOT WORKING



Correct Answer
acomiskey Tue, 09/04/2007 - 05:04
User Badges:
  • Green, 3000 points or more

What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.


no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255


Please rate helpful posts.


u.griemert Tue, 09/04/2007 - 22:52
User Badges:

in asa doku it is said:

'Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface'

Actions

This Discussion