08-13-2007 12:42 PM - edited 03-11-2019 03:57 AM
Hello,
Static nat is not working if i use the same public IP as the Outside interface.
Configuration example :
ASA Version 7.2(2)
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.57.0 255.255.255.0
access-list web extended permit tcp any host 1.1.1.1 eq www
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.1 192.168.1.250 netmask 255.255.255.255
access-group web in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.3 1
----
If i change the outside IP address with 1.1.1.2, the static nat is working.
If i change the PIX version with 7.1(1) the static nat is working if use the same public Ip address.
What is the difference between the 7.1(1) and the 7.2(2) ?
Thanks for your help
Solved! Go to Solution.
09-04-2007 05:04 AM
What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.
no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255
Please rate helpful posts.
08-13-2007 12:52 PM
Change it to this...
static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255
That should do the trick.
Please rate helpful posts.
09-04-2007 04:55 AM
Hello,
If i use this command :
static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255
Its working, but i have this warning message :
WARNING: static redireting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.
AND WEBVPN and VPN IPSEC CLIENT IS NOT WORKING
09-04-2007 05:04 AM
What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.
no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255
Please rate helpful posts.
09-04-2007 10:52 PM
in asa doku it is said:
'Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface'
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: