I need a little help on this one guys. This is what happens, one of our customers uses a Unix based software as his FW solution called Astaro Security Gateway v7.x. The thing is that as most of Unix based solutions it allows the administrators to create SNAT, DNAT and FULL NAT using Port Redirection in a single rule using Object Orientation.
Attached to this post is their current topology.
One of the rules I have to transport to the Cisco IOS sintax is as follows:
Brasilia Network(inside): 10.61.0.0/16
Host (inside): 10.13.1.244
Host (inside2): 10.13.12.20
S: 10.61.0.0/16 TCP 80 | D: 10.13.1.244 TCP 80
S: 10.61.0.0/16 TCP 80 | D: 10.13.12.20 TCP 80
The Default Gateway to the LAN(blue) stations and network gear is the inside intf(10.13.1.101). When TCP packets on port 80 coming from any host at the Brasilia Network(10.61.0.0/16) targeting the host 10.13.1.244 gets to the 'inside' intf, there will be a DNAT, changing the 10.13.1.244 to 10.13.12.20 still on port 80 but routed to the inside2 intf. The pre-nat and post-nat, destination port is TCP 80 only.
This is the configuration I inputed on the ASA:
1)access-list Ast_03 extended permit tcp 10.61.0.0 255.255.0.0 eq http host 10.13.1.244 eq http
2)static (inside,inside2) tcp 10.13.12.20 http access-list Ast_03
OUTPUT ERROR: global address overlaps with mask
Can you guys help me out this one?
I know that Port Redirection isn't stated on this one, but there are a LOT of rules that will need that.
Thanks in advance.
Best Regards, Daniel
If I understand your requirement correctly, then both the ACL and Static are wrong.
The static should be:
access-list Ast_03 extended permit tcp host 10.13.12.20 eq http 10.61.0.0 255.255.0.0
static (inside2,inside) tcp 10.13.1.244 http access-list Ast_03