Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
4
Replies

stastic mapping on ASA 5510

rechard_david
Level 1
Level 1

‎02-11-2009 08:22 PM - edited ‎03-11-2019 07:49 AM

Dear All,

I would like all of you to help me to solve the problem as below:

On ASA i had Outside,Inside and DMZ.i had one webserver in DMZ and i had 2 application server in Inside( one primary and other one Bakcup).so i want to allow some port from DMZ to inside.my problem is the message from ASA that cannot create, i map as below:

static (inside,DMZ) tcp Web_DMZ 1515 Appli_Primary 1515 netmask 255.255.255.255

static (inside,DMZ) tcp Web_DMZ 1515 Appli_Backup 1515 netmask 255.255.255.255

So the second static not allow me to create so how can create on static.

Best Regards,

Rechard

Labels:
0 Helpful
4 Replies 4

Jithesh K Joy
Level 1
Level 1

‎02-11-2009 08:52 PM

Hi Richard,

You can do it with Static Policy NAT. See the following conf.

access-list policy_nat permit tcp host 10.1.1.1 eq 1515 host 172.16.1.1

access-list policy_nat permit tcp host 10.1.1.2 eq 1515 host 172.16.1.1

static (inside,DMZ) tcp Web_DMZ 1515 access-list policy_nat

where 10.1.1.1 &10.1.1.2 are your Appli_Primary and Appli_Backup respectively. 172.16.1.1 is the DMZ host accessing the Appli_Primary & Appli_Backup.

Please try this & update

Thanks

Jithesh

0 Helpful

rechard_david
Level 1
Level 1
In response to Jithesh K Joy

‎02-12-2009 01:59 AM

Dear Jithesh,

I tried already but it still has the problem the message show as below:

ERROR: access-list used in static has different local addresses

if i asign access-lsit policy_nat....only one command it ok, i mean don't show error.

How can i do next ?

Best Regards,

Rechard

0 Helpful

Jithesh K Joy
Level 1
Level 1
In response to rechard_david

‎02-12-2009 02:35 AM

Hi Rechard,

I am sorry. please visit the url for more info:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042553

Figure 18-12 in the above url is same as your case.

We cannot use policy static NAT to translate different real addresses to the same mapped address.

Because the device(ASA) will get confused to which real IP it has to divert the traffic. That is the reason ,it is not allowing this type of config.

Thanks

Jithesh

0 Helpful

rechard_david
Level 1
Level 1
In response to Jithesh K Joy

‎02-12-2009 07:57 PM

Dear Jithesh,

Thank you for your help!!! :)

So, mean that he ASA doesn't work on requirement that i want ? right? have any solution on this case?

Best Regards,

Rechard

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card