hi,

what if i change static translation, do i need clear xlate then

Thanks

Practically, you don't need to clear xlate on changing static translation. However, you can use "show static" command to see which public ip is statically natted to your private IP.

Mohsin

hi,

i have a problem , i have two public ip's , i have static (dmz,outside) xx.xx.xx.9 10.5.0.5

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

access-group webserver in interface outside

this works fine but when i use static(dmz,outsidt) xx.xx.xx.12 10.5.0.5 for the same server , it will not. what might be the problem

thanks

Please be specific. it will not what?

There are 2-3 points that you must remember,

- You can assign 2 public IPs to a single private IP, but that is not recommended.

- Your ACL for ftp is for XX.XX.XX.9 only, if you want to use ftp for 2nd public IP also, you need to add another ACL,i.e

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

However, ACLs work in sequential way, so all the incoming traffic will hit the first ACL of XX.XX.XX.9 and hence 2nd ACL will be useless. But in case you want to serve ftp on XX.XX.XX.9 and http on XX.XX.XX.12 for same privae ip 10.5.0.5, then you can add

access-list webserver extended permit tcp any host xx.xx.xx.12 eq http

along with xx.xx.xx.9 eq ftp command...

But, why would you like to have 2 public IPs for 1 private IP?

hi,

i told when i use static (dmz, outside) xx.xx.xx.9 10.5.0.5

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

access-group webserver in interface outside

this works fine but when i remove the above static mapping and re-create static mapping with xx.xx.xx.12 with ACL change to xx.xx.xx.12 for ftp it is not working.

Thanks

well, in that case you need to check using show static and sh xlate | in xx.xx.xx.12 that fw/asa has updates its xlation table. If not, then try to clear xlate and then check the same.

when u get this problem after changing nat lines just reload the firewall