Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

More ports for Static PAT

i, on the ASA 5505 is impossible configure on the static PAT more ports but also is impossible to use Service Groups.

I have this situation:

- internal mail server that use pop3 and smtp port, the IP Address is 192.168.1.80

- two public IP address, one is configured on interface Vlan2 and the second public IP address is used for PAT with internal mail server, therefore:

interface vlan2 --> 88.88.88.88

private IP mail server --> 192.168.1.80

public IP mail server --> 88.88.88.89

now I have in the ASA config file:

static (inside,outside) 88.88.88.89 192.168.1.80 netmask 255.255.255.255

but I can specify tcp/25 and tcp/110 on this static PAT ?

Thanks.

-

Salvatore.

4 REPLIES
Cisco Employee

Re: More ports for Static PAT

That 1-1 static that you have will do for all the ports.

Unless you want to use another public address for another inside server.

If your question is to add the static pat to another inside server using the same public address. The answer is NO.

static (inside,outside) 88.88.88.89 192.168.1.80 netmask 255.255.255.255 ---> when you already have this 
static (inside,outside) tcp 88.88.88.89 110 192.168.1.81 110 netmask 255.255.255.255 ---> NOT possible.

-KS

New Member

Re: More ports for Static PAT

Hi and thank for your support, so if I have understood correctly that isn't possible

static (inside,outside) tcp 88.88.88.89 25 192.168.1.80 25 netmask 255.255.255.255
static (inside,outside) tcp 88.88.88.89 110 192.168.1.80 110 netmask 255.255.255.255

static (inside,outside) tcp 88.88.88.89 80 192.168.1.81 80 netmask 255.255.255.255

Thanks.

-
 Salvatore.
 

Hall of Fame Super Blue

Re: More ports for Static PAT

pixteam2007 wrote:

Hi and thank for your support, so if I have understood correctly that isn't possible

static (inside,outside) tcp 88.88.88.89 25 192.168.1.80 25 netmask 255.255.255.255
static (inside,outside) tcp 88.88.88.89 110 192.168.1.80 110 netmask 255.255.255.255

static (inside,outside) tcp 88.88.88.89 80 192.168.1.81 80 netmask 255.255.255.255

Thanks.

-
 Salvatore.
 

Slavatore

The above config is possible because you are specifying individual ports. But as Kusankar said you can't do -

static (inside,outside) tcp 88.88.88.89 192.168.1.80 netmask 255.255.255.255
static (inside,outside) tcp 88.88.88.89 110 192.168.1.81 110 netmask 255.255.255.255

because in the first staticyou are mapping ALL ports from 88.88.88.89 to 192.168.1.80 including  TCP port 110 and in the second static you are trying to map TCP 110 to a different internal address so there is a conflict.

Jon

Cisco Employee

Re: More ports for Static PAT

If you remove the 1-1 that you have then, the three are possible.

remove this

static (inside,outside) 88.88.88.89  192.168.1.80 netmask 255.255.255.255

and you can add these

static (inside,outside) tcp 88.88.88.89 25 192.168.1.80 25 netmask 255.255.255.255
static (inside,outside) tcp 88.88.88.89 110 192.168.1.80 110 netmask 255.255.255.255
static (inside,outside) tcp 88.88.88.89 80 192.168.1.81 80 netmask 255.255.255.255

-KS
435
Views
0
Helpful
4
Replies
CreatePlease to create content