02-11-2009 08:22 PM - edited 03-11-2019 07:49 AM
Dear All,
I would like all of you to help me to solve the problem as below:
On ASA i had Outside,Inside and DMZ.i had one webserver in DMZ and i had 2 application server in Inside( one primary and other one Bakcup).so i want to allow some port from DMZ to inside.my problem is the message from ASA that cannot create, i map as below:
static (inside,DMZ) tcp Web_DMZ 1515 Appli_Primary 1515 netmask 255.255.255.255
static (inside,DMZ) tcp Web_DMZ 1515 Appli_Backup 1515 netmask 255.255.255.255
So the second static not allow me to create so how can create on static.
Best Regards,
Rechard
02-11-2009 08:52 PM
Hi Richard,
You can do it with Static Policy NAT. See the following conf.
access-list policy_nat permit tcp host 10.1.1.1 eq 1515 host 172.16.1.1
access-list policy_nat permit tcp host 10.1.1.2 eq 1515 host 172.16.1.1
static (inside,DMZ) tcp Web_DMZ 1515 access-list policy_nat
where 10.1.1.1 &10.1.1.2 are your Appli_Primary and Appli_Backup respectively. 172.16.1.1 is the DMZ host accessing the Appli_Primary & Appli_Backup.
Please try this & update
Thanks
Jithesh
02-12-2009 01:59 AM
Dear Jithesh,
I tried already but it still has the problem the message show as below:
ERROR: access-list used in static has different local addresses
if i asign access-lsit policy_nat....only one command it ok, i mean don't show error.
How can i do next ?
Best Regards,
Rechard
02-12-2009 02:35 AM
Hi Rechard,
I am sorry. please visit the url for more info:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042553
Figure 18-12 in the above url is same as your case.
We cannot use policy static NAT to translate different real addresses to the same mapped address.
Because the device(ASA) will get confused to which real IP it has to divert the traffic. That is the reason ,it is not allowing this type of config.
Thanks
Jithesh
02-12-2009 07:57 PM
Dear Jithesh,
Thank you for your help!!! :)
So, mean that he ASA doesn't work on requirement that i want ? right? have any solution on this case?
Best Regards,
Rechard
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide