Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 8.3 Single Host - Multiple PAT

Hi All,

After battling with, and eventually learning from the ASA 8.3 NAT configuration, I have stumbled over another hurdle which is causing me some confusion.

I have PAT working quite well for one host. That is, OUTSIDE:2202 ---> INSIDE_HOST:2202. See below for config.

I'm running ASA 8.3.(2) and ASDM 6.2.(3) on a ASA 5505

!

object network LXSERVER
host 10.2.2.2

!

access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202

!

object network LXSERVER

nat (DMZ,OUTSIDE) static interface service tcp ssh 2202

This is all working like a dream but when I tried to add another static NAT rule from the outside interface to the same host on a different port, the new rule overwrote the old one.

!

object network LXSERVER

nat (DMZ,OUTSIDE) static interface service tcp ftp 2121

!

So, my question is, how do I configure multiple static PATs for one internal host from the OUTSIDE inteface.


Please note that I have only a single public IP address which is received via DHCP.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 8.3 Single Host - Multiple PAT

You need to create a new object for each static pat or it will overwrite. You can have the same host each object though.  Just call the object with a diff. name.  You need as many objects as there are going to be static PATs.

You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129

8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324

-KS

4 REPLIES
Cisco Employee

Re: ASA 8.3 Single Host - Multiple PAT

Here is an example. I hope this is what you are trying to accomplish:

 object service FTP_PASV_PORT_RANGE
   service tcp source range 65000 65004

object network HOST_FTP_SERVER
  host 192.168.10.100

nat (Inside,outside) source static HOST_FTP_SERVER interface service
FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE


ciscoasa(config)# sh xlate
1 in use, 6 most used
TCP PAT from Inside:HOST_FTP_SERVER 65000-65004 to outside:10.10.10.1
65000-65004 flags sr idle 47:51:27 timeout 0:00:00

-KS
New Member

Re: ASA 8.3 Single Host - Multiple PAT

Hi KS,

Thanks for the help, althouh it is not entirely what I am after, although I think it will work for what I am after temporarily.

What I was looking for was to use a discontiguous port range, i.e.

2202 --> 22

2121 --> 21

8080 --> 80

4443 --> 443

etc etc.

Cheers,


Conor

Cisco Employee

Re: ASA 8.3 Single Host - Multiple PAT

You need to create a new object for each static pat or it will overwrite. You can have the same host each object though.  Just call the object with a diff. name.  You need as many objects as there are going to be static PATs.

You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129

8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324

-KS

New Member

Re: ASA 8.3 Single Host - Multiple PAT

Cheers for that KS, I had feared that was the solution.

Thanks for your help.

Cheers,

Conor

2410
Views
10
Helpful
4
Replies
CreatePlease to create content