Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Translation Table

hi,

i have done PAT and STATIC(dmz,outside) a.b.c.d 10.5.0.5 translation in my ASA. when i Change Static (DMZ,outside)w.x.y.z 10.5.0.0 translation, is it possible to clear translation table.

8 REPLIES
New Member

Re: ASA Translation Table

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use

translations, and then starts building new connections based on new configuration.

regards,

Mohsin

New Member

Re: ASA Translation Table

hi,

what if i change static translation, do i need clear xlate then

Thanks

New Member

Re: ASA Translation Table

Practically, you don't need to clear xlate on changing static translation. However, you can use "show static" command to see which public ip is statically natted to your private IP.

Mohsin

New Member

Re: ASA Translation Table

hi,

i have a problem , i have two public ip's , i have static (dmz,outside) xx.xx.xx.9 10.5.0.5

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

access-group webserver in interface outside

this works fine but when i use static(dmz,outsidt) xx.xx.xx.12 10.5.0.5 for the same server , it will not. what might be the problem

thanks

New Member

Re: ASA Translation Table

Please be specific. it will not what?

There are 2-3 points that you must remember,

- You can assign 2 public IPs to a single private IP, but that is not recommended.

- Your ACL for ftp is for XX.XX.XX.9 only, if you want to use ftp for 2nd public IP also, you need to add another ACL,i.e

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

However, ACLs work in sequential way, so all the incoming traffic will hit the first ACL of XX.XX.XX.9 and hence 2nd ACL will be useless. But in case you want to serve ftp on XX.XX.XX.9 and http on XX.XX.XX.12 for same privae ip 10.5.0.5, then you can add

access-list webserver extended permit tcp any host xx.xx.xx.12 eq http

along with xx.xx.xx.9 eq ftp command...

But, why would you like to have 2 public IPs for 1 private IP?

New Member

Re: ASA Translation Table

hi,

i told when i use static (dmz, outside) xx.xx.xx.9 10.5.0.5

access-list webserver extended permit tcp any host xx.xx.xx.9 eq ftp

access-group webserver in interface outside

this works fine but when i remove the above static mapping and re-create static mapping with xx.xx.xx.12 with ACL change to xx.xx.xx.12 for ftp it is not working.

Thanks

New Member

Re: ASA Translation Table

well, in that case you need to check using show static and sh xlate | in xx.xx.xx.12 that fw/asa has updates its xlation table. If not, then try to clear xlate and then check the same.

Re: ASA Translation Table

when u get this problem after changing nat lines just reload the firewall

5200
Views
0
Helpful
8
Replies