ASA Translation Table

Unanswered Question
Sep 11th, 2008
User Badges:

hi,

i have done PAT and STATIC(dmz,outside) a.b.c.d 10.5.0.5 translation in my ASA. when i Change Static (DMZ,outside)w.x.y.z 10.5.0.0 translation, is it possible to clear translation table.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use

translations, and then starts building new connections based on new configuration.


regards,

Mohsin

itdsmartnet Thu, 09/11/2008 - 21:56
User Badges:

hi,

what if i change static translation, do i need clear xlate then

Thanks

itdsmartnet Thu, 09/11/2008 - 22:11
User Badges:

hi,

i have a problem , i have two public ip's , i have static (dmz,outside) xx.xx.xx.9 10.5.0.5

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

access-group webserver in interface outside

this works fine but when i use static(dmz,outsidt) xx.xx.xx.12 10.5.0.5 for the same server , it will not. what might be the problem

thanks

Please be specific. it will not what?


There are 2-3 points that you must remember,


- You can assign 2 public IPs to a single private IP, but that is not recommended.


- Your ACL for ftp is for XX.XX.XX.9 only, if you want to use ftp for 2nd public IP also, you need to add another ACL,i.e


access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp


However, ACLs work in sequential way, so all the incoming traffic will hit the first ACL of XX.XX.XX.9 and hence 2nd ACL will be useless. But in case you want to serve ftp on XX.XX.XX.9 and http on XX.XX.XX.12 for same privae ip 10.5.0.5, then you can add


access-list webserver extended permit tcp any host xx.xx.xx.12 eq http

along with xx.xx.xx.9 eq ftp command...


But, why would you like to have 2 public IPs for 1 private IP?



itdsmartnet Thu, 09/11/2008 - 22:44
User Badges:

hi,

i told when i use static (dmz, outside) xx.xx.xx.9 10.5.0.5

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

access-group webserver in interface outside

this works fine but when i remove the above static mapping and re-create static mapping with xx.xx.xx.12 with ACL change to xx.xx.xx.12 for ftp it is not working.

Thanks

Marwan ALshawi Sat, 09/13/2008 - 05:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

when u get this problem after changing nat lines just reload the firewall

Actions

This Discussion