Please post the output of the

stevenilan · ‎05-28-2014

Hi,

I'm trying to configure PAT on a new ASA-5510 running 9.0(3) and I'm having some issues.

In our setup we have a single public IP address(lets say 127.1.1.1) which is assigned to the outside interface, and we need to use that for both dynamic PAT to allow all machines in our 10.1.0.0 255.255.255.0 subnet hit the outside world, as well as allow the outside world FTP access to (10.1.0.124) on the inside using static PAT.

I have dynamic PAT working and we are able to hit the outside world, but I can't get the static service PAT working to forward FTP traffic.

The configuration looks like this right now:

object network obj-10.1.0.124
host 10.1.0.124

object network obj-10.1.0.0
subnet 10.1.0.0 255.255.255.0

nat (infra,outside) source dynamic obj-10.1.0.0 interface

!
object network obj-10.1.0.124
nat (infra,outside) static interface service tcp 21 21

Should the dynamic PAT rule also be written as a network object rule?

Thanks!

Steve

manish arora · ‎05-28-2014

That looks correct, just add another static PAT for TCP port 20 as well.

Here's a link to a useful Doc :

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Manish

stevenilan · ‎05-28-2014

Thanks for your reply. It isn't working though so I'm not sure what the problem is, adding another PAT translation for port 20 did not help either.

manish arora · ‎05-28-2014

Please post the output of the following :

show nat detail

show run nat

Manish

stevenilan · ‎05-29-2014

Thanks for your help Manish, I figured it out.

-Steve

stevenilan · ‎05-29-2014

Changing the global PAT to an object PAT rule got everything working correctly.

object network obj-10.1.0.0
subnet 10.1.0.0 255.255.255.0

object network obj-ftp-access
host 10.1.0.124

object network obj-10.1.0.0
nat (infra,outside) dynamic interface

object network obj-ftp-access
nat (infra,outside) static interface service tcp 21 21

Dynamic and Static PAT using a single public IP