Re: Static Policy NATing

neazchowdhury · ‎12-27-2007

Hi

I have recently installed an ASA5510 as our Firewall which actually replaced the old PIX. Now I am stuck with Static NATing. On the old PIX I could have multiple Static statements translating different public IP addresses to one IP address in my DMZ network. But it looks like I can not do it any more with ASA. By the way I am running ASA Version 7.0(7). I have read few posts and articles online and it seems Static Policy NAT is the answer. but I can not get it configured as I am still geting "global address overlaps with mask" error. I have to translate multiple pubic IP addresses (for example 195.1.20.141, 195.1.20.143, 195.1.20.144) to 192.168.0.201 in my DMZ. Please see the following configuration I have tried.

#access-list 101 extended permit tcp any host 195.1.20.141 eq www

#access-list 101 extended permit tcp any host 195.1.20.143 eq www

#access-list 101 extended permit tcp any host 195.1.20.144 eq https

#access-group 101 in interface Outside

#access-list sun01-1 extended permit tcp any host 192.168.0.201 eq www

#access-list sun01-2 extended permit tcp any host 192.168.0.201 eq https

#static (DMZ,Outside) 195.1.20.141 access-list sun01-1

#static (DMZ,Outside) 195.11.20.143 access-list sun01-1

#static (DMZ,Outside) 195.11.20.144 access-list sun01-2

Could you please look at the config and help me out on this.

Your help is much appreciated.

palomoj · ‎12-27-2007

Hi, here are the changes necessary to fix your problem. The problem is your static statements are defined for one to one NAT while your policy NAT ACL's match on port address translation. That's why you are getting the error message regarding "global address overlaps with mask." Your ACL's are also matching on the wrong traffic. Let me know if this makes any sense.

Thanks.

access-list sun01-1 permit tcp host 192.168.0.201 eq www any

access-list sun01-2 permit tcp host 192.168.0.201 eq www any

access-list sun01-3 permit tcp host 192.168.0.201 eq https any

static (DMZ,Outside) tcp 195.1.20.141 www access-list sun01-1

static (DMZ,Outside) tcp 195.11.20.143 www access-list sun01-2

static (DMZ,Outside) tcp 195.11.20.144 https

access-list sun01-3

rmaxson2 · ‎12-27-2007

This seems backwards.. shouldn't it be?

access-list sun01-2 permit tcp SOURCE(FROM) DESTINATION(TO)eq www

then he could use object groups for the ports and cut it down the number of rules?

object-group service WEB_SERVICE tcp

description ports for web access

port-object eq https

port-object eq www

neazchowdhury · ‎12-28-2007

Sorry, I did not see rmaxson2's post and tried palomoj's suggestion and it worked straight away. Thank you so much.

I am wondering if you could suggest a couple of good books on ASA for me. I am kind of new to ASA/Firewall/IPS world with some basic knowledge of routing and switching at CCNA level.

Thanks a lot once again for your help.

palomoj · ‎12-28-2007

Excellent!

I have not personally read any of the Cisco Press books on the ASA but I'm sure this one will be a good one.

http://www.ciscopress.com/bookstore/product.asp?isbn=1587052091

Cisco.com has a lot of material and configuration examples if you have access to it.

http://www.cisco.com/en/US/products/ps6120/index.html

srue · ‎12-28-2007

the all-in-one book that palomo recommends in his first link is good. i'm using that to help me for my securitylab. and of course the documentation on CCO is great - and free - just a little hard to follow if you're new to networking or Cisco.

neazchowdhury · ‎12-28-2007

Thanks a lot Guys.

Wish you all a Happy and a Prosperous New Year.