Hi,

Thanks for your reply.

> You also need to configure the following:

> same-security-traffic permit intra-interface

> global (inside) 101 interface

> no sysopt noproxyarp inside

These settings were already configured.

Inside interface has an incoming access list with "permit any any" statement only.

I receive the following error when I try to access server using public IP from inside host:

portmap translation creation failed for tcp src inside:10.1.0.12/49340 dst inside:x.x.x.81/24

Hello Sergey,

The problem is NAT, and it seems like there is something wrong with the global inside, can you double check it? Also you would you please paste the sh run static, sh run nat and sh run global ?

Thanks

Mike

Hi Maykol,

I have tree interfaces:

Outside (with public IP (x.x.x.70) direclty assigned to the interface and two more secondary public IPs (x.x.x.80 and x.x.x.80) used in static NAT configuration).

Inside interface with 10.1.0.0/24 addressing and couple of servers using port and static NAT traslations.

Inside2 interface with 172.22.15.0/24 addressing - separate subnet with one inside server configured for static NAT.

Here is a part of NAT section currently in place on the device:

global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.1.0.0 255.255.255.0
nat (inside2) 101 172.22.15.0 255.255.255.0

static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface imap4 Server1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp CiscoBlocker smtp netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 63389 Netmon_10.1.0.12 3389 netmask 255.255.255.255
static (inside2,outside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside,outside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
static (inside,inside) x,x.x.81 10.1.0.14 netmask 255.255.255.255

"Show run static" output:

static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface imap4 Server1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp CiscoBlocker smtp netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 63389 Netmon_10.1.0.12 3389 netmask 255.255.255.255
static (inside2,outside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside,outside) x.x.x.81 10.1.0.14 netmask 255.255.255.255
static (inside,inside) x.x.x.81 10.1.0.14 netmask 255.255.255.255

"Show run nat" output:

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.1.0.0 255.255.255.0
nat (inside2) 101 172.22.15.0 255.255.255.0

"Show run global" output:

global (outside) 101 interface

Any suggestions\recommendations are highly appreciated.

Thanks in advance.

Hi Mike,

Sorry, I totally lost the global (inside) 101 interface command, which was indicated in the official hairpinning guide I used as a reference.

I finally got the server on "inside" interfface working from "inside" LAN via public IP. Thanks a lot!

But I have another goal I need to achive. Hope you would be able to help with this as well.

Currently, the NAT section looks like this:

global (outside) 101 interface
global (inside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.1.0.0 255.255.255.0
nat (inside2) 101 172.22.15.0 255.255.255.0
static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface imap4 Server1 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server1 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp CiscoBlocker smtp netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Server1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 63389 Netmon_10.1.0.12 3389 netmask 255.255.255.255
static (inside2,outside) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside,outside) x.x.x.x.81 10.1.0.14 netmask 255.255.255.255
static (inside,inside) x.x.x.81 10.1.0.14 netmask 255.255.255.255

My target is to have two servers with static NAT configured for both (10.1.0.14=x.x.x.81 and 172.22.15.7=x.x.x.80) be able to communicate with each other and between inside\inside2 subnets using public addressing (they are smtp servers and MX records for domains they manage point to public IPs, not to private ones).

I tried to implement the following adjustment to NAT config (similar to what has been done to "inside" interface):

global (inside2) 101 interface

static (inside2,inside2) x.x.x.80 172.22.15.7 netmask 255.255.255.255
static (inside2,inside) x.x.x.80 172.22.15.7 netmask 255.255.255.255

static (inside,inside2) x.x.x.81 10.1.0.14 netmask 255.255.255.255

I've got successful result accessing the x.x.x.80 (which is physically on "inside2" inferface) from some "inside" LAN host, but got zero result accessing this server from 10.1.0.14 server itself (which is vital).

Could you please point me what I've done wrong this time? Do I need to use different NAT IDs in this design?

Thanks in advance.

Having

Just cleared and reconfigured everything back. Maybe it was a mistype somewhere.

Now everything is working as needed. Thanks a lot to everyone who participated in this discussion.

Glad it worked...

PK