Static nat

Answered Question

Hello,

Static nat is not working if i use the same public IP as the Outside interface.

Configuration example :

ASA Version 7.2(2)

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.57.0 255.255.255.0

access-list web extended permit tcp any host 1.1.1.1 eq www

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 1.1.1.1 192.168.1.250 netmask 255.255.255.255

access-group web in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1

----

If i change the outside IP address with 1.1.1.2, the static nat is working.

If i change the PIX version with 7.1(1) the static nat is working if use the same public Ip address.

What is the difference between the 7.1(1) and the 7.2(2) ?

Thanks for your help

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 3 months ago

What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.

no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255

Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 08/13/2007 - 12:52

Change it to this...

static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

That should do the trick.

Please rate helpful posts.

Hello,

If i use this command :

static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

Its working, but i have this warning message :

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

AND WEBVPN and VPN IPSEC CLIENT IS NOT WORKING

Correct Answer
acomiskey Tue, 09/04/2007 - 05:04

What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.

no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255

Please rate helpful posts.

u.griemert Tue, 09/04/2007 - 22:52

in asa doku it is said:

'Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface'

Actions

This Discussion