cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
629
Views
0
Helpful
2
Replies

Static Policy NAT Rule problem

bgl-group
Level 1
Level 1

I'm trying to create a NAT rule that exists on our decommissioned Watchguard firewall but which I can't seem to create on the new Cisco ASA. The rule is as follows:

           Internal IP Add  Port     NAT Address       Destination IP Add           Port

Rule1: 192.168.10.13   13001  195.216.165.243  161.20.1.1 to 161.20.2.1   12001

Rule2: 192.168.10.13   14002  195.216.165.243  171.10.3.1 to 171.10.5.1   12001

RULE-1 Static Policy NAT Rule:

Original

Interface: DMZ

Source Address: 192.168.10.13

Destination Address: 161.20.1.1 to 161.20.2.1 (RULE1_OG object group for clarity)

Translated

Interface: External

Use IP Address: 195.216.165.243

Port Address Translation

Original Port: 13001

Translated Port: 12001

RULE-2 Static Policy NAT Rule:

Original

Interface: DMZ

Source Address: 192.168.10.13

Destination Address: 171.10.3.1 to 171.10.5.1 (RULE1_OG object group for clarity)

Translated

Interface: External

Use IP Address: 195.216.165.243

Port Address Translation

Original Port: 14002

Translated Port: 12001

I thought i could use a Static Policy NAT Rule in ASDM. I can create RULE-1 ok, but when i create RULE-2, it overlaps with RULE-1 and while it does add it into the configuration(with warnings) when i test the rules the ASA always translates the ports as per Rule-1 whether destination address is RULE1_OG or RULE2_OG.

Does anyone have any idea how I can do this?

2 Replies 2

stuart
Level 1
Level 1

What you need is Static PAT. Take a look at the Cmd ref for the ASA.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075

This allows you to use the same mapped (translated) address for multiple statics statements.

The problem I see here in your example and might be why your getting an overlap error, is the translated port in PAT must always be unique.

Also bear in mind that if the translated address is the address of you external interface then you need to use the 'Interface' keyword instead of the ip.

If you are still having an issue let me know and i'll see if I can put the cli config together for you to test.

Stu

Hi,

Is interesting because if I apply the same concept via CLI:

access-list test1 permit tcp host 192.168.10.13 eq 13001 object-group RULE1_OG eq 12001
static (inside,outside) tcp 195.216.165.243 12001 access-list test1 13001

access-list test2 permit tcp host 192.168.10.13 eq 14002 object-group RULE1_OG eq 12001
static (inside,outside) tcp 195.216.165.243 12001 access-list test1 13001

With the Object Groups defined... I get the same overlapping error...

I think that because you're mapping statically the same source IP to the same NATed IP using the same destination port that's where you get the error.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: