Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.2 NAT

HI,

 

I need to translate single inetrnal private IP address to two different Public ip address.Below should be configuration :-

 

static(inside,outside)  1.2.3.4 443 10.1.1.1 4443

static(inside,outside) 2.3.4.5  10.1.1.1

 

 

first static nat is more sepcific and later one is more generic.  anyone please advise if this is going to work out?  i need when outside uers access natted ip 1.2.3.4 at port 443 they should be redirceted to port 4443 else for any other ports coming from ip address 2.3.4.5 they should go to same internal real server.

 

All ip address are imiginary. 

 

Please advice if this concept would work or not.

5 REPLIES

Hi, There shouldn't be any

Hi,

 

There shouldn't be any overlapping rules in place. But let me do a small lab and confirm you on this...

 

Regards

Karthik

New Member

  it worked with a warning.

 

 it worked with a warning. in running configuration I could see both static nat entry. hence this setup would work. however, i am not sure what the imapct of warning.

 

Warning:-
WARNING: real-address conflict with existing static

Hi, It's just a warning and

Hi,

 

It's just a warning and we are defining the real address in two static NAT statements...... but with a different mapped ip address..... with port-forwarding and 1-1 static NAT.... so the conflict is displayed as an error.... this warning message would n't impact anything for your scenario....

 

Regards

Karthik
 

New Member

Thanks Karthik for your

Thanks Karthik for your response!

Hi,Glad to say it works!!!

Hi,

Glad to say it works!!!!

pixfirewall(config)# static (inside,outside) tcp interface 22 192.168.1.10 23

!

pixfirewall(config)# static (inside,outside) 1.1.1.2 192.168.1.10 netmask 255.$
WARNING: real-address conflict with existing static
  TCP inside:192.168.1.10/23 to outside:1.1.1.1/22 netmask 255.255.255.255


!

 

But it takes the both.......

 

 

interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!

access-list crypto extended permit ip site1 255.255.255.0 site2 255.255.255.0
access-list crypto extended permit ip any any
access-list inbound extended permit ip any any


!

static (inside,outside) tcp interface ssh 192.168.1.10 telnet netmask 255.255.255.255
static (inside,outside) 1.1.1.2 192.168.1.10 netmask 255.255.255.255
access-group inbound in interface outside
access-group crypto in interface inside


!

 

Telnet from R1 using port 22 :

R1#telnet 1.1.1.1 22
Trying 1.1.1.1, 22 ... Open


User Access Verification

Username:

Password:

R2>


Telnet from R2# with generic ip:

R1#telnet 1.1.1.2
Trying 1.1.1.2 ... Open


User Access Verification

Username: test
Password:

R2>

 

 

pixfirewall# sh nat

NAT policies on Interface inside:
  match tcp inside host 192.168.1.10 eq 23 outside any
    static translation to 1.1.1.1/22
    translate_hits = 0, untranslate_hits = 3
  match ip inside host 192.168.1.10 outside any
    static translation to 1.1.1.2
    translate_hits = 0, untranslate_hits = 2
pixfirewall# sh xla
pixfirewall# sh xlate
2 in use, 2 most used
PAT Global 1.1.1.1(22) Local 192.168.1.10(23)
Global 1.1.1.2 Local 192.168.1.10
pixfirewall#

 

So it works for 1st port-forwarding if that comes with the specific port in request. if you do telnet without port it will not go through..... if you access through second ip..... it will give you access for any port......

 

Bingo!!!

Regards

Karthik

77
Views
0
Helpful
5
Replies
CreatePlease login to create content