PAT not compatible for multiple mappings??

Unanswered Question
Jul 22nd, 2009
User Badges:

Guy's, can any one shed some light on this please?

I am trying to replace a gnat box with a cisco PIX but it would appear that the Pix can not perform what the Gnat Box does.

We have PAT mapping multiple different external/translate ports to the same server on the same original port. Cisco will not allow this? Why?

I can understand you not being able to map the same translate ports to multiple original ports as the device would not know which statement to choose. However the other way round should work as this is what we have configured on the Gnat box device. In theory it should work too?

Any help would be immenseley appreciated on this as I'm know wondering whether the PIX is not up to the job for this type of advanced PAT work.

Statement that conflicts;

CISCLNFW1(config)# static (inside,dmz) tcp interface 8013 8002 n$

ERROR: duplicate of existing static

TCP inside: to dmz: netmask

Usage: [no] static [(real_ifc, mapped_ifc)]


{<real_ip> [netmask <mask>]} | {access-list <acl_name>}



[udp <max_conns>]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}



[udp <max_conns>]

show running-config [all] static [<mapped_ip>]

clear configure static


global (outside) 1 interface

nat (inside) 1

nat (dmz) 0 access-list dmz_nat0_outbound outside

static (inside,dmz) tcp interface 8000 8002 netmask

static (inside,dmz) tcp interface pop3 pop3 netmask

static (inside,dmz) tcp interface smtp smtp netmask

static (inside,dmz) tcp interface 8001 8001 netmask

static (inside,dmz) tcp interface 5002 5002 netmask

static (inside,dmz) tcp interface 5007 5007 netmask

static (inside,dmz) tcp interface 5006 5006 netmask

static (inside,dmz) tcp interface 5005 5005 netmask

static (inside,dmz) tcp interface 5004 5004 netmask

static (inside,dmz) tcp interface 5001 5001 netmask

static (inside,dmz) tcp interface 5003 5003 netmask

static (inside,dmz) tcp interface 5000 5000 netmask

static (inside,dmz) tcp 9000 7000 netmask

static (dmz,outside) liswww2_ext netmask

static (dmz,outside) interface dmzwww netmask

static (dmz,inside) netmask

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)

Err you are trying to input;-

static (inside,dmz) tcp interface 8013 8002

BUT you already have in your config:-

static (inside,dmz) tcp interface 8000 8002 netmask

AFAIK - you cannot have 2 statements that define a different source port - but have the same desintation port...I may be wrong.


ccannon88567 Wed, 07/22/2009 - 04:47
User Badges:

Andrew, it's something I have not seen before but it is definately in place on the existing solution.

Can anyone else please advise? Will an ASA perform this if not the PIX?

It is on an existing config of the gnat box, I'm shocked that Cisco PIX does not support this.

In theory it should work fine?

Help needed!

I tried to out this in my lab pix 525 and ASA5510 and both devices returned the same error:-

pixfirewall(config)# static (inside,dmz) tcp interface 8013 8002$

ERROR: duplicate of existing static

TCP inside: to dmz: netmask

But when I added:-


pixfirewall(config)# static (inside,dmz) tcp interface 8013 8003 netmask


So I tried something differnet:-

static (inside,dmz) tcp interface 8000 pop3 netmask

and recevied the error:-

pixfirewall(config)# static (inside,dmz) tcp interface 8000 pop3$

ERROR: mapped-address conflict with existing static

TCP inside: to dmz: netmask

Conclusion - Multiple configs of tcp src/dst ports is not permitted - even to differenet backend servers.


ccannon88567 Thu, 07/23/2009 - 07:52
User Badges:

Andrew, thanks your help on on investigating this matter.

I have found a solution in the form of Policy NAT and thought that you would be interested.

Policy NAT enables you to map otherwise overlapping conflicts through normal statements (please note that it will not allow you to overlap "translated ports" only original to the same server as it would be impossible for the device to route the traffic).

Here's how;

access-list Policy_NAT_1 extended permit tcp host eq 8000

access-list Policy_NAT_2 extended permit tcp host eq 8000

static (inside,outside) tcp 8013 access-list Policy_NAT_1

static (inside,outside) tcp 8012 access-list Policy_NAT_2

Hey presto - 2 different ports mapped to the same inside server and to the same original port :-)

Just make sure that your ACL's have different names even though they state the same thing.


ccannon88567 Thu, 07/23/2009 - 12:52
User Badges:

Thanks Andrew!

5 pts for effort - setting up a lab to help me out of a tricky situation! :-)


This Discussion