Solved: ASA 5510 NAT issue

Kilgore8086 · ‎10-12-2013

Hi,

We're in the process of transisitioning our exchange server and have everything setup and working.

I've changed the IP address on the ASA to the new server, just changed the 3 rules which were already inplace but got an error on the 2 NAT object rules saying there was an overlap between the external interface.

I've tried a restore to before I made the changes but it doesn't correct anything. I can see these in the original config but aren't in the new one.

object network ExchHTTP

nat (Internal_Interface,External_interface) static interface service tcp www www

object network ExchSMTP

nat (

Internal_Interface,External_interface) static interface service tcp smtp smtp

Everything else in the config is the same but when I try to add these (via the GUI because I'm a cisco Noob) I get an overlap error.

Why is the restore not adding them or how can I manually add them?

Thanks in advance

Jouni Forss · ‎10-12-2013

Hi,

You mention that you are migrating/transitioning to a new server and that you are creating NAT rules for the new Exchange server? You also mention that you get an error message of overlap with the NAT rules.

The above would seem to me to suggest that you still have similiar Static PAT (Port Forward) configurations perhaps for the original server from which you are migrating/transitioning?

If this is true then naturally you can only have Static PAT configured for WWW and SMTP for one of those servers if your are planning to use the "External_interface" IP address as specified in the "nat" command with the "interface" parameter.

To confirm this you could take the CLI format output of the command

show run nat

You can do this through the ASDM GUI also. Just go to Tools -> Command Line Interface -> Enter the above command -> Send it to the device -> Copy/Paste the output here (except any possible public IP address information, replace those with something else)

- Jouni

View solution in original post

Jouni Forss · ‎10-12-2013

Hi,

You mention that you are migrating/transitioning to a new server and that you are creating NAT rules for the new Exchange server? You also mention that you get an error message of overlap with the NAT rules.

The above would seem to me to suggest that you still have similiar Static PAT (Port Forward) configurations perhaps for the original server from which you are migrating/transitioning?

If this is true then naturally you can only have Static PAT configured for WWW and SMTP for one of those servers if your are planning to use the "External_interface" IP address as specified in the "nat" command with the "interface" parameter.

To confirm this you could take the CLI format output of the command

show run nat

You can do this through the ASDM GUI also. Just go to Tools -> Command Line Interface -> Enter the above command -> Send it to the device -> Copy/Paste the output here (except any possible public IP address information, replace those with something else)

- Jouni

Kilgore8086 · ‎10-12-2013

Hi,

Thanks for the reply, I've managed to sort it.

I wasn't trying to add more rules just change the existing ones and before I'd done it I recieved the error message.

I've created the nat agian pointing to the new server from the command line and it's all working. Still not sure why it wouldn't let me do it through the GUI but doesn't matter now as it's working.

Thanks

Jouni Forss · ‎10-12-2013

Hi,

Unless you have already already enabled the setting on the ASDM GUI I would suggest you go to

Tools -> Preferences -> Check the box - Preview commands before sending them to the device

This will have the ASDM GUI show you the CLI format of the configuration that you are about to enter to the device before you do it.

I am also not sure what problem has been. Good to hear that its sorted now though

- Jouni