cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
922
Views
0
Helpful
4
Replies

Static nat

phiz.petry
Level 1
Level 1

Hello,

Static nat is not working if i use the same public IP as the Outside interface.

Configuration example :

ASA Version 7.2(2)

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.57.0 255.255.255.0

access-list web extended permit tcp any host 1.1.1.1 eq www

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 1.1.1.1 192.168.1.250 netmask 255.255.255.255

access-group web in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 1.1.1.3 1

----

If i change the outside IP address with 1.1.1.2, the static nat is working.

If i change the PIX version with 7.1(1) the static nat is working if use the same public Ip address.

What is the difference between the 7.1(1) and the 7.2(2) ?

Thanks for your help

1 Accepted Solution

Accepted Solutions

What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.

no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255

Please rate helpful posts.

View solution in original post

4 Replies 4

acomiskey
Level 10
Level 10

Change it to this...

static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

That should do the trick.

Please rate helpful posts.

Hello,

If i use this command :

static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

Its working, but i have this warning message :

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

AND WEBVPN and VPN IPSEC CLIENT IS NOT WORKING

What services do you wish to forward to 192.168.1.250? Use port forwarding instead for each port you wish to forward...I did www and ftp below.

no static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.250 ftp netmask 255.255.255.255

Please rate helpful posts.

u.griemert
Level 1
Level 1

in asa doku it is said:

'Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface'

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: