https://community.cisco.com/t5/network-security/asa-5505-port-forwarding-to-different-internal-port/m-p/2663615#M197088 <P>Anyone ?</P> Wed, 18 Feb 2015 05:44:31 GMT S Kumar 2015-02-18T05:44:31Z https://community.cisco.com/t5/network-security/asa-5505-port-forwarding-to-different-internal-port/m-p/2663614#M197087 <P>&nbsp;</P><P>My Config:</P><P>object network obj-192.168.220.104<BR />&nbsp;host 192.168.220.104<BR />object network obj-192.168.220.124<BR />&nbsp;host 192.168.220.124</P><P><BR />access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.100 eq 3389 log<BR />access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.200 eq 3389 log</P><P>object network obj-192.168.1.100<BR />&nbsp;nat (inside,outside) static interface service tcp 3390 3389<BR />object network obj-192.168.1.200<BR />&nbsp;nat (inside,outside) static interface service tcp 3389 3389</P><P><BR />I have one public IP configured on ASA5505 and I have 2 internal hosts which needs RDP access from outside.<BR />One host is accessible from outside using 3389. I wanted to configure the second host with outside port 3390 and inside 3389.</P><P><BR />When I configure natting for second host, I get following warning message:<BR />WARNING: mapped-address 2.2.2.2/3389 ovelap with existing static NAT.</P><P><BR />where 2.2.2.2 is public ip address of ASA's outside interface.</P> Tue, 12 Mar 2019 05:29:42 GMT https://community.cisco.com/t5/network-security/asa-5505-port-forwarding-to-different-internal-port/m-p/2663614#M197087 S Kumar 2019-03-12T05:29:42Z https://community.cisco.com/t5/network-security/asa-5505-port-forwarding-to-different-internal-port/m-p/2663615#M197088 <P>Anyone ?</P> Wed, 18 Feb 2015 05:44:31 GMT https://community.cisco.com/t5/network-security/asa-5505-port-forwarding-to-different-internal-port/m-p/2663615#M197088 S Kumar 2015-02-18T05:44:31Z https://community.cisco.com/t5/network-security/asa-5505-port-forwarding-to-different-internal-port/m-p/2663616#M197089 <P>You are getting warning because the configuration that you have is using same mapped port (3389)</P><P>&nbsp;</P><P>change nat statements to&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px;">object network obj-192.168.1.100</SPAN><BR style="font-size: 14.3999996185303px;" /><SPAN style="font-size: 14.3999996185303px;">&nbsp;nat (inside,outside) static interface service tcp &nbsp;3389&nbsp;3390</SPAN><BR style="font-size: 14.3999996185303px;" /><SPAN style="font-size: 14.3999996185303px;">object network obj-192.168.1.200</SPAN><BR style="font-size: 14.3999996185303px;" /><SPAN style="font-size: 14.3999996185303px;">&nbsp;nat (inside,outside) static interface service tcp &nbsp;3389&nbsp;3389&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px;">And your ACL should permit traffic to the UN NATed ip:</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px;">access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.100 eq 3389 log</SPAN><BR style="font-size: 14.3999996185303px;" /><SPAN style="font-size: 14.3999996185303px;">access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.200 eq 3389 log</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size: 14.3999996185303px;">Hope it helps.!!</SPAN></P> Wed, 18 Feb 2015 06:47:06 GMT https://community.cisco.com/t5/network-security/asa-5505-port-forwarding-to-different-internal-port/m-p/2663616#M197089 Rishabh Seth 2015-02-18T06:47:06Z