Overlapping NAT statements on ASA

Unanswered Question
Oct 25th, 2007
User Badges:

I'm having trouble with NAT.


This works:

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255


This doesn't:

static (Internal-201,ELI-External) tcp MY_EXT_IP 3389 192.168.201.114 3389 netmask 255.255.255.255


Why wouldn't the second statement work? I'm positive that I'm typing in the correct external IP.


Edit: I'm guessing that it isn't working because the first statement has overloading and the second one doesn't.. so it doesn't know how to "get back to me" since I'm in a private network myself. If this is the reason why, then is there a way to have multiple nat statements re-directing me, depending on my source IP? (ie: if I RDP from home, it redirects me to .114, and if I RDP from work, it redirects me to .177)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Thu, 10/25/2007 - 15:52
User Badges:
  • Green, 3000 points or more

Your 2nd statement should work too as it's doing static PAT as well.


Are you permitting MY_EXT_IP port # 3389 on the ACL applied on the ELI-External interface?


HTH


Sundar

JORGE RODRIGUEZ Thu, 10/25/2007 - 19:02
User Badges:
  • Green, 3000 points or more

As Sundar said, apply acl to eli-external interface..


Here is a usefull link to follow the example, it should work.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#intro



static (internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255 0 0

static (internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255 0 0


access-list ACL1 extended permit tcp host ExternalIP-1 host 192.168.201.114 eq 3389

access-list ACL1 extended permit tcp host ExternalIP-2 host 192.168.201.177 eq 3389

access-group ACL1 in interface ELI-External


Actions

This Discussion