08-06-2010 01:20 PM - edited 03-11-2019 11:22 AM
Hi All,
After battling with, and eventually learning from the ASA 8.3 NAT configuration, I have stumbled over another hurdle which is causing me some confusion.
I have PAT working quite well for one host. That is, OUTSIDE:2202 ---> INSIDE_HOST:2202. See below for config.
I'm running ASA 8.3.(2) and ASDM 6.2.(3) on a ASA 5505
!
object network LXSERVER
host 10.2.2.2
!
access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202
!
object network LXSERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh 2202
This is all working like a dream but when I tried to add another static NAT rule from the outside interface to the same host on a different port, the new rule overwrote the old one.
!
object network LXSERVER
nat (DMZ,OUTSIDE) static interface service tcp ftp 2121
!
So, my question is, how do I configure multiple static PATs for one internal host from the OUTSIDE inteface.
Please note that I have only a single public IP address which is received via DHCP.
Solved! Go to Solution.
08-06-2010 02:51 PM
You need to create a new object for each static pat or it will overwrite. You can have the same host each object though. Just call the object with a diff. name. You need as many objects as there are going to be static PATs.
You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129
8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324
-KS
08-06-2010 02:43 PM
Here is an example. I hope this is what you are trying to accomplish:
object service FTP_PASV_PORT_RANGE
service tcp source range 65000 65004
object network HOST_FTP_SERVER
host 192.168.10.100
nat (Inside,outside) source static HOST_FTP_SERVER interface service
FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE
ciscoasa(config)# sh xlate
1 in use, 6 most used
TCP PAT from Inside:HOST_FTP_SERVER 65000-65004 to outside:10.10.10.1
65000-65004 flags sr idle 47:51:27 timeout 0:00:00
-KS
08-06-2010 02:48 PM
Hi KS,
Thanks for the help, althouh it is not entirely what I am after, although I think it will work for what I am after temporarily.
What I was looking for was to use a discontiguous port range, i.e.
2202 --> 22
2121 --> 21
8080 --> 80
4443 --> 443
etc etc.
Cheers,
Conor
08-06-2010 02:51 PM
You need to create a new object for each static pat or it will overwrite. You can have the same host each object though. Just call the object with a diff. name. You need as many objects as there are going to be static PATs.
You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129
8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324
-KS
08-06-2010 02:53 PM
Cheers for that KS, I had feared that was the solution.
Thanks for your help.
Cheers,
Conor
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: