https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480838#M238063 <P>Hi,</P><P>&nbsp;</P><P>I'm trying to configure PAT on a new ASA-5510 running 9.0(3) and I'm having some issues.</P><P>&nbsp;</P><P>In our setup we have a single public IP address(lets say 127.1.1.1) which is assigned to the outside interface, and we need to use that for both dynamic PAT to allow all machines in our 10.1.0.0 255.255.255.0 subnet hit the outside world, as well as allow the outside world FTP access to (10.1.0.124) on the inside using static PAT.</P><P>&nbsp;</P><P>I have dynamic PAT working and we are able to hit the outside world, but I can't get the static service PAT working to forward FTP traffic.&nbsp;</P><P>&nbsp;</P><P>The configuration looks like this right now:</P><P>&nbsp;</P><P>object network obj-10.1.0.124<BR />&nbsp;&nbsp;&nbsp; host 10.1.0.124</P><P>object network obj-10.1.0.0<BR />&nbsp;&nbsp;&nbsp; subnet 10.1.0.0 255.255.255.0</P><P>nat (infra,outside) source dynamic obj-10.1.0.0 interface</P><P>!<BR />object network obj-10.1.0.124<BR />&nbsp;&nbsp;&nbsp; nat (infra,outside) static interface service tcp 21 21</P><P>&nbsp;</P><P>Should the dynamic PAT rule also be written as a network object rule?</P><P>&nbsp;</P><P>Thanks!</P><P>Steve</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 04:15:22 GMT stevenilan 2019-03-12T04:15:22Z https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480838#M238063 <P>Hi,</P><P>&nbsp;</P><P>I'm trying to configure PAT on a new ASA-5510 running 9.0(3) and I'm having some issues.</P><P>&nbsp;</P><P>In our setup we have a single public IP address(lets say 127.1.1.1) which is assigned to the outside interface, and we need to use that for both dynamic PAT to allow all machines in our 10.1.0.0 255.255.255.0 subnet hit the outside world, as well as allow the outside world FTP access to (10.1.0.124) on the inside using static PAT.</P><P>&nbsp;</P><P>I have dynamic PAT working and we are able to hit the outside world, but I can't get the static service PAT working to forward FTP traffic.&nbsp;</P><P>&nbsp;</P><P>The configuration looks like this right now:</P><P>&nbsp;</P><P>object network obj-10.1.0.124<BR />&nbsp;&nbsp;&nbsp; host 10.1.0.124</P><P>object network obj-10.1.0.0<BR />&nbsp;&nbsp;&nbsp; subnet 10.1.0.0 255.255.255.0</P><P>nat (infra,outside) source dynamic obj-10.1.0.0 interface</P><P>!<BR />object network obj-10.1.0.124<BR />&nbsp;&nbsp;&nbsp; nat (infra,outside) static interface service tcp 21 21</P><P>&nbsp;</P><P>Should the dynamic PAT rule also be written as a network object rule?</P><P>&nbsp;</P><P>Thanks!</P><P>Steve</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 04:15:22 GMT https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480838#M238063 stevenilan 2019-03-12T04:15:22Z https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480839#M238065 <P>That looks correct, just add another static PAT for TCP port 20 as well.</P><P>Here's a link to a useful Doc :</P><P>https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples</P><P>Manish</P> Wed, 28 May 2014 19:06:55 GMT https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480839#M238065 manish arora 2014-05-28T19:06:55Z https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480840#M238066 <P>Thanks for your reply.&nbsp; It isn't working though so I'm not sure what the problem is, adding another PAT translation for port 20 did not help either.</P> Wed, 28 May 2014 20:58:04 GMT https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480840#M238066 stevenilan 2014-05-28T20:58:04Z https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480841#M238068 <P>Please post the output of the following :</P><P>show nat detail</P><P>show run nat</P><P>Manish</P> Wed, 28 May 2014 21:00:56 GMT https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480841#M238068 manish arora 2014-05-28T21:00:56Z https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480842#M238071 <P>Changing the global PAT to an object PAT rule got everything working correctly.<BR />&nbsp;</P><P>object network obj-10.1.0.0<BR />&nbsp;subnet 10.1.0.0 255.255.255.0</P><P>object network obj-ftp-access<BR />&nbsp;host 10.1.0.124</P><P>object network obj-10.1.0.0<BR />&nbsp;nat (infra,outside) dynamic interface</P><P>object network obj-ftp-access<BR />&nbsp;nat (infra,outside) static interface service tcp 21 21</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 May 2014 14:26:53 GMT https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480842#M238071 stevenilan 2014-05-29T14:26:53Z https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480843#M238073 <P>Thanks for your help Manish, I figured it out.</P><P>-Steve</P> Thu, 29 May 2014 14:27:29 GMT https://community.cisco.com/t5/network-security/dynamic-and-static-pat-using-a-single-public-ip/m-p/2480843#M238073 stevenilan 2014-05-29T14:27:29Z