How to configure static NAT / static PAT command in the PIX, ASA and FWSM

Document

Jul 16, 2014 3:21 PM
Jun 18th, 2009

Core issue

This contains the PIX / ASA / Firewall Services Module (FWSM) configuration for static translation.

Resolution

The static command configuration is similar for the PIX Firewall, ASA and FWSM.

The Static NAT command creates a fixed translation of the real address to the mapped address. This command can be used in order to assign a single public IP address to the single local IP address.

Static NAT Example:

hostname(config)#static (inside,outside) 192.168.201.12 10.1.1.3 netmask 255.255.255.255

This command maps an inside IP address (10.1.1.3) to an outside IP address (192.168.201.12).

The Static PAT command can also be used where a single port of the public IP address can be mapped with the single port of the local IP address.

Static PAT Example:

In order to redirect Telnet traffic from the outside interface (10.1.2.14) to the inside host at 10.1.1.15, enter this command:

hostname(config)#static (inside, outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255

The static PAT command is the same as static NAT, except it allows for the specification of the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP) and the port for the real and mapped addresses.

The static PAT feature can identify the same mapped address across many different static statements, so long as the port is different for each statement.

Note: You cannot use the same real or mapped address in multiple static commands between the same two interfaces. Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface.

VoIPDoug72 Wed, 07/16/2014 - 15:21

So what do you do in situations where you need to do a static nat of outside IP to same Inside IP and offer PAT for example.

 

hostname(config)#static (inside, outside) tcp 10.1.2.14 443 10.1.1.15 10004 netmask 255.255.255.255

hostname(config)#static (inside, outside) tcp 10.1.2.14 www 10.1.1.15 www netmask 255.255.255.255

 

In this situation I've a need to translate https externally to 10004 and keep port 80 the same inside/outside.  I'm running both services on the same box and the DNS externally mapps to the same outside IP Address.

Actions

This Document

Related Content