ASA-5510: Adding another static nat issue.

Answered Question
Nov 3rd, 2008
User Badges:

I'm trying to add another static nat translation onto the ASA. There's already one static nat to another host. Wouldn't I just copy the same static and change the IP's? Tried it and it gave me a error. Not sure what else I'm suppose to add. Kinda lost.


error: router(config)# static (inside,backup) 214.24.29.114 10.20.1.20 netmask 255.255.255.255 0 0

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address



Correct Answer by francisco_1 about 8 years 5 months ago

try static (inside,backup) tcp interface www 10.20.1.20 www netmask 255.255.255.255. change the port to whatever you would like to allow.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
calvinz21 Mon, 11/03/2008 - 08:34
User Badges:

here's the current config file.



!

ASA Version 8.0(3)

!

hostname asa510-01

domain-name corp.com

enable password xxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 214.x.x.114 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!


ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name corp.com


access-list outside_1_cryptomap extended permit ip 10.20.1.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside_access_in remark allow public to http

access-list outside_access_in extended permit tcp any host 214.24.29.115 eq www


pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging host inside 10.1.xx.xx

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside


arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.20.1.0 255.255.255.0

static (inside,outside) 214.24.29.115 10.20.1.10 netmask 255.255.255.255

access-group outside_access_in in interface outside


route outside 0.0.0.0 0.0.0.0 214.24.29.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server LIST1 protocol tacacs+

key xxxxxxxxx

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa accounting enable console LIST1

http server enable

http 10.20.10.0 255.255.255.0 inside

http 207.40.115.253 255.255.255.255 outside

snmp-server host inside 10.1.11.45 community 1232344

snmp-server location xxxxxxxx

no snmp-server contact

snmp-server community 123cabaf3a

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 207.40.115.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


console timeout 5

management-access inside

threat-detection basic-threat

threat-detection statistics


tunnel-group 207.40.115.1 type ipsec-l2l

tunnel-group 207.40.115.1 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

inspect icmp

inspect snmp

!

service-policy global_policy global

prompt hostname context



acomiskey Mon, 11/03/2008 - 08:37
User Badges:
  • Green, 3000 points or more

Don't see a "backup" interface in the config. It wants you to use the "interface" keyword instead of the ip address. For example...


static (inside,outside) interface 10.20.1.20 netmask 255.255.255.255


...because 214.24.29.114 is the ip address of the interface.

francisco_1 Mon, 11/03/2008 - 08:51
User Badges:
  • Gold, 750 points or more

calvinz,



also according to your config, the device hostname you are trying to do NAT is "router" while the hostname for your ASA is "asa510-01". make sure you are working on the correct device. NAT commands work differently on ASA/Routers.


Francisco.

calvinz21 Mon, 11/03/2008 - 09:08
User Badges:

Sorry, here's the right config and it does have backup as a interface.


here's the current config file.



!

ASA Version 8.0(3)

!

hostname asa510-01

domain-name corp.com

enable password xxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

nameif backup

security-level 0

ip address 214.x.x.114 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!


ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name corp.com


access-list outside_1_cryptomap extended permit ip 10.20.1.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside_access_in remark allow public to http

access-list outside_access_in extended permit tcp any host 214.24.29.115 eq www


pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging host inside 10.1.xx.xx

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside


arp timeout 14400

global (backup) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.20.1.0 255.255.255.0

static (inside,backup) 214.24.29.115 10.20.1.10 netmask 255.255.255.255

access-group outside_access_in in interface backup


route backup 0.0.0.0 0.0.0.0 214.24.29.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server LIST1 protocol tacacs+

key xxxxxxxxx

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa accounting enable console LIST1

http server enable

http 10.20.10.0 255.255.255.0 inside

http 207.40.115.253 255.255.255.255 backup

snmp-server host inside 10.1.11.45 community 1232344

snmp-server location xxxxxxxx

no snmp-server contact

snmp-server community 123cabaf3a

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 207.40.115.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface backup

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


console timeout 5

management-access inside

threat-detection basic-threat

threat-detection statistics


tunnel-group 207.40.115.1 type ipsec-l2l

tunnel-group 207.40.115.1 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

inspect icmp

inspect snmp

!

service-policy global_policy global

prompt hostname context


calvinz21 Mon, 11/03/2008 - 09:11
User Badges:

I'm in the correct router. I just forgot what I named the router.


I tried using backup as a interface and got this error:


asa510-01(config)# static (inside,backup) interface 10.20.0.20 netmask 255.255.255.255

WARNING: static redirecting all traffics at backup interface;

WARNING: all services terminating at backup interface are disabled.


So it seems like I might have to create a new interface or something?

francisco_1 Mon, 11/03/2008 - 09:13
User Badges:
  • Gold, 750 points or more

then what adam suggested will work for you. have you tried it? does it work?


Francisco.

francisco_1 Mon, 11/03/2008 - 09:17
User Badges:
  • Gold, 750 points or more

i think the reason why you have this problem is because you already have "global (backup) 1 interface". (Translating already using the outside interface for 10.20.1.0 255.255.255.0. try using another public ip for one-one static translation.


calvinz21 Mon, 11/03/2008 - 09:26
User Badges:

Is there anyway around it w/o having to have another public IP?

francisco_1 Mon, 11/03/2008 - 09:33
User Badges:
  • Gold, 750 points or more

unless you use static with PAT.


Example below shows how to configure static PAT for an internal web server located at 192.168.10.10 The web client on the public network will connect to the server using the public IP address of the security appliance using the default web (TCP port 80)

static (inside,outside) tcp interface www 192.168.10.10 www netmask 255.255.255.255



Correct Answer
francisco_1 Mon, 11/03/2008 - 09:35
User Badges:
  • Gold, 750 points or more

try static (inside,backup) tcp interface www 10.20.1.20 www netmask 255.255.255.255. change the port to whatever you would like to allow.


calvinz21 Mon, 11/03/2008 - 10:01
User Badges:

thanks, i'll give that try. it seems like i'm talking to someone here that doesn't understand what they are asking. I'll check with the 3rd party on what they want. will keep you posted. thanks for the help..

calvinz21 Tue, 11/04/2008 - 07:57
User Badges:

i was able to put in a static nat with another public IP. thanks for your help.


I'm having a access issue. wonder if you guys can see if its being block somewhere else. i already wrote up a ACL for the access but it's still being denied. same router.


access-list outside_access_in line 11 extended permit tcp any 214.16.68.192 255.255.255.192 eq 3389 (hitcnt=0)

access-list outside_access_in line 12 extended permit tcp any 214.16.68.192 255.255.255.192 (hitcnt=0)


Deny tcp src backup:214.16.68.246/4225 dst inside:214.24.29.115/3389 by access-group "outside_access_in" [0x0, 0x0]

francisco_1 Tue, 11/04/2008 - 08:54
User Badges:
  • Gold, 750 points or more

try

access-list outside_access_in extended permit tcp any host 214.16.68.192 eq 3389


Francsico

Actions

This Discussion