Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3432
Views
10
Helpful
4
Replies

ASA 8.3 Single Host - Multiple PAT

Go to solution
Conor Cunningham
Level 1
Level 1

‎08-06-2010 01:20 PM - edited ‎03-11-2019 11:22 AM

Hi All,

After battling with, and eventually learning from the ASA 8.3 NAT configuration, I have stumbled over another hurdle which is causing me some confusion.

I have PAT working quite well for one host. That is, OUTSIDE:2202 ---> INSIDE_HOST:2202. See below for config.

I'm running ASA 8.3.(2) and ASDM 6.2.(3) on a ASA 5505

!

object network LXSERVER
host 10.2.2.2

!

access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202

!

object network LXSERVER

nat (DMZ,OUTSIDE) static interface service tcp ssh 2202

This is all working like a dream but when I tried to add another static NAT rule from the outside interface to the same host on a different port, the new rule overwrote the old one.

!

object network LXSERVER

nat (DMZ,OUTSIDE) static interface service tcp ftp 2121

!

So, my question is, how do I configure multiple static PATs for one internal host from the OUTSIDE inteface.


Please note that I have only a single public IP address which is received via DHCP.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Conor Cunningham

‎08-06-2010 02:51 PM

You need to create a new object for each static pat or it will overwrite. You can have the same host each object though.  Just call the object with a diff. name.  You need as many objects as there are going to be static PATs.

You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129

8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324

-KS

View solution in original post

4 Replies 4

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎08-06-2010 02:43 PM

Here is an example. I hope this is what you are trying to accomplish:

 object service FTP_PASV_PORT_RANGE
   service tcp source range 65000 65004
 
 object network HOST_FTP_SERVER
  host 192.168.10.100
 
 nat (Inside,outside) source static HOST_FTP_SERVER interface service
FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE


ciscoasa(config)# sh xlate
1 in use, 6 most used
TCP PAT from Inside:HOST_FTP_SERVER 65000-65004 to outside:10.10.10.1
65000-65004 flags sr idle 47:51:27 timeout 0:00:00

-KS

Go to solution
Conor Cunningham
Level 1
Level 1
In response to Kureli Sankar

‎08-06-2010 02:48 PM

Hi KS,

Thanks for the help, althouh it is not entirely what I am after, although I think it will work for what I am after temporarily.

What I was looking for was to use a discontiguous port range, i.e.

2202 --> 22

2121 --> 21

8080 --> 80

4443 --> 443

etc etc.

Cheers,


Conor

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Conor Cunningham

‎08-06-2010 02:51 PM

You need to create a new object for each static pat or it will overwrite. You can have the same host each object though.  Just call the object with a diff. name.  You need as many objects as there are going to be static PATs.

You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129

8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324

-KS

Go to solution
Conor Cunningham
Level 1
Level 1

‎08-06-2010 02:53 PM

Cheers for that KS, I had feared that was the solution.

Thanks for your help.

Cheers,

Conor

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card