PAT not compatible for multiple mappings??

ccannon88567 · ‎07-22-2009

Guy's, can any one shed some light on this please?

I am trying to replace a gnat box with a cisco PIX but it would appear that the Pix can not perform what the Gnat Box does.

We have PAT mapping multiple different external/translate ports to the same server on the same original port. Cisco will not allow this? Why?

I can understand you not being able to map the same translate ports to multiple original ports as the device would not know which statement to choose. However the other way round should work as this is what we have configured on the Gnat box device. In theory it should work too?

Any help would be immenseley appreciated on this as I'm know wondering whether the PIX is not up to the job for this type of advanced PAT work.

Statement that conflicts;

CISCLNFW1(config)# static (inside,dmz) tcp interface 8013 10.144.100.92 8002 n$

ERROR: duplicate of existing static

TCP inside:10.144.100.92/8002 to dmz:192.168.0.21/8000 netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

show running-config [all] static [<mapped_ip>]

clear configure static

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound outside

static (inside,dmz) tcp interface 8000 10.144.100.92 8002 netmask 255.255.255.255

static (inside,dmz) tcp interface pop3 10.144.100.77 pop3 netmask 255.255.255.255

static (inside,dmz) tcp interface smtp 10.144.100.77 smtp netmask 255.255.255.255

static (inside,dmz) tcp interface 8001 10.144.100.74 8001 netmask 255.255.255.255

static (inside,dmz) tcp interface 5002 10.144.100.74 5002 netmask 255.255.255.255

static (inside,dmz) tcp interface 5007 10.144.100.74 5007 netmask 255.255.255.255

static (inside,dmz) tcp interface 5006 10.144.100.74 5006 netmask 255.255.255.255

static (inside,dmz) tcp interface 5005 10.144.100.74 5005 netmask 255.255.255.255

static (inside,dmz) tcp interface 5004 10.144.100.74 5004 netmask 255.255.255.255

static (inside,dmz) tcp interface 5001 10.144.100.74 5001 netmask 255.255.255.255

static (inside,dmz) tcp interface 5003 10.144.100.77 5003 netmask 255.255.255.255

static (inside,dmz) tcp interface 5000 10.144.100.74 5000 netmask 255.255.255.255

static (inside,dmz) tcp 192.168.0.10 9000 10.144.100.70 7000 netmask 255.255.255.255

static (dmz,outside) liswww2_ext 192.168.0.23 netmask 255.255.255.255

static (dmz,outside) interface dmzwww netmask 255.255.255.255

static (dmz,inside) 10.144.100.74 192.168.0.21 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

andrew.prince · ‎07-22-2009

Err you are trying to input;-

static (inside,dmz) tcp interface 8013 10.144.100.92 8002

BUT you already have in your config:-

static (inside,dmz) tcp interface 8000 10.144.100.92 8002 netmask 255.255.255.255

AFAIK - you cannot have 2 statements that define a different source port - but have the same desintation port...I may be wrong.

HTH>

ccannon88567 · ‎07-22-2009

Andrew, it's something I have not seen before but it is definately in place on the existing solution.

Can anyone else please advise? Will an ASA perform this if not the PIX?

It is on an existing config of the gnat box, I'm shocked that Cisco PIX does not support this.

In theory it should work fine?

Help needed!

andrew.prince · ‎07-22-2009

I tried to out this in my lab pix 525 and ASA5510 and both devices returned the same error:-

pixfirewall(config)# static (inside,dmz) tcp interface 8013 10.144.100.92 8002$

ERROR: duplicate of existing static

TCP inside:10.144.100.92/8002 to dmz:192.168.0.254/8000 netmask 255.255.255.255

But when I added:-

pixfirewall(config)#

pixfirewall(config)# static (inside,dmz) tcp interface 8013 10.144.100.92 8003 netmask 255.255.255.255

pixfirewall(config)#

So I tried something differnet:-

static (inside,dmz) tcp interface 8000 10.144.100.77 pop3 netmask 255.255.255.255

and recevied the error:-

pixfirewall(config)# static (inside,dmz) tcp interface 8000 10.144.100.77 pop3$

ERROR: mapped-address conflict with existing static

TCP inside:10.144.100.92/8002 to dmz:192.168.0.254/8000 netmask 255.255.255.255

Conclusion - Multiple configs of tcp src/dst ports is not permitted - even to differenet backend servers.

HTH>

ccannon88567 · ‎07-23-2009

Andrew, thanks your help on on investigating this matter.

I have found a solution in the form of Policy NAT and thought that you would be interested.

Policy NAT enables you to map otherwise overlapping conflicts through normal statements (please note that it will not allow you to overlap "translated ports" only original to the same server as it would be impossible for the device to route the traffic).

Here's how;

access-list Policy_NAT_1 extended permit tcp host 10.0.0.1 eq 8000

access-list Policy_NAT_2 extended permit tcp host 10.0.0.1 eq 8000

static (inside,outside) tcp 62.62.62.1 8013 access-list Policy_NAT_1

static (inside,outside) tcp 62.62.62.1 8012 access-list Policy_NAT_2

Hey presto - 2 different ports mapped to the same inside server and to the same original port :-)

Just make sure that your ACL's have different names even though they state the same thing.

Carlton

andrew.prince · ‎07-23-2009

LOL!

I had found roughly the same thing, in a head scratching moment after my post on my first test lab!

5 pts for posting first.

ccannon88567 · ‎07-23-2009

Thanks Andrew!

5 pts for effort - setting up a lab to help me out of a tricky situation! :-)