https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363007#M307039 <HTML><HEAD></HEAD><BODY><P>Thanks for pointing that out, thats worked. !!!</P></BODY></HTML> Mon, 16 Dec 2013 20:15:13 GMT sandevsingh 2013-12-16T20:15:13Z https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363001#M307033 <P>Hi,</P><P>can you do a static NAT using the same public ip so that it goes to different internal ips on different port numbers.? Something like a port-redirection. For example, the public ip:100.100.100.100/443 goes to 10.10.10.1/443 AND 100.100.100.100/8443 goes to 10.10.10.2/443.&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 03:18:46 GMT https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363001#M307033 sandevsingh 2019-03-12T03:18:46Z https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363002#M307034 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, that is possible. Do notice that the port TCP/443 for example on an ASA is used for both ASDM and SSL VPN on the external interface typically. So it might be worth not using it at all as a public/mapped port is at all possible.</P><P></P><P>Depending on your software level the NAT configuration for the Static PAT (Port Forward) might be different</P><P></P><P>Software level 8.2 (and below)</P><P></P><P><STRONG>static (inside,outside) tcp interface <MAPPED port=""> <LOCAL ip=""> <LOCAL port=""> netmask 255.255.255.255</LOCAL></LOCAL></MAPPED></STRONG></P><P></P><P>Software level 8.3 (and above)</P><P></P><P><STRONG>object network STATIC-PAT-TCPxxx</STRONG></P><P><STRONG> host <LOCAL ip=""></LOCAL></STRONG></P><P><STRONG> nat (inside,outside) static interface service <LOCAL port=""> <MAPPED port=""></MAPPED></LOCAL></STRONG></P><P></P><P>The above examples use the<STRONG> "outside"</STRONG> interface IP address as the NAT IP as we use the <STRONG>"interface"</STRONG> parameter. This would have to be placed with the actual NAT IP address if you are using some other IP address other than that which is configured on your actual interface.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Mon, 16 Dec 2013 17:56:44 GMT https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363002#M307034 Jouni Forss 2013-12-16T17:56:44Z https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363003#M307035 <HTML><HEAD></HEAD><BODY><P>Thnx Jouni,</P><P>I am on 8.4, if I use the same public IP (which is NOT the external int ip on the ASA) it gives me a warning, although it took the config -&nbsp; </P><P></P><P>WARNING: mapped-address 100.100.100.100/443 ovelap with existing static NAT.</P></BODY></HTML> Mon, 16 Dec 2013 18:59:35 GMT https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363003#M307035 sandevsingh 2013-12-16T18:59:35Z https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363004#M307036 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It would seem that you have already configured a Static NAT using the same public IP address.</P><P></P><P>A Static NAT would pair a local IP to a public/mapped IP. When talking about TCP/UDP it would essentially map each public port to the same local port on the local IP address.</P><P></P><P>So it would seem to me that you would better use some other public IP address.</P><P></P><P>Even though the ASA accepted the Static PAT (Port Forward) configuration it might be that the Static NAT overrides the Static PAT function so that it is never used. This depends on the way the Static NAT is configured and can only be told by looking at the configurations and/or perhaps using the <STRONG>"packet-tracer"</STRONG> command to test the configuration.</P><P></P><P>Do you have an extra public IP address that you could use as the Static PAT public IP address for all the translations you are attempting to do?</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 16 Dec 2013 19:04:41 GMT https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363004#M307036 Jouni Forss 2013-12-16T19:04:41Z https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363005#M307037 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P>Yes, I have used the same public ip for a different static NAT, here is my config - </P><P></P><P>object network websrv1</P><P> nat (to-nexus,Outside) static 100.100.100.100 service tcp https https</P><P>object network websrv2</P><P> nat (to-nexus,Outside) static 100.100.100.100 service tcp 8443 https</P><P></P><P>I believe although it has taken the config, the order counts. Under "show nat", entry no.1 is what is taking preference and no hits on entry 2.&nbsp; </P><P></P><P>Auto NAT Policies (Section 2)</P><P>1 (to-nexus) to (Outside) source static websrv1 100.100.100.100&nbsp;&nbsp; service tcp https https</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 1, untranslate_hits = 11187</P><P>2 (to-nexus) to (Outside) source static websrv2 100.100.100.100&nbsp;&nbsp; service tcp 8443 https</P><P>&nbsp;&nbsp;&nbsp; translate_hits = 0, untranslate_hits = 0</P><P></P><P>ANY THOUGHTS?</P></BODY></HTML> Mon, 16 Dec 2013 19:24:58 GMT https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363005#M307037 sandevsingh 2013-12-16T19:24:58Z https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363006#M307038 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, since we are doing Auto NAT / Network Object NAT (the ones configured under <STRONG>"object" </STRONG>configurations) that means the ASA will order the NAT rules based on predefined rules.</P><P></P><P>I think in your case it comes down perhaps to the last determining factor which is the<STRONG> "object"</STRONG> name (alphabetical order). They are otherwise the same but the other one ends with<STRONG> "1"</STRONG> and the other one with <STRONG>"2"</STRONG>. This is why the<STRONG> "websrv1" </STRONG>one is working.</P><P></P><P>But this is NOT the actual problem. I think you have the ports configured the wrong way around.</P><P></P><P>The first port listed after the<STRONG> "service tcp"</STRONG> or <STRONG>"service udp"</STRONG> should be the local/real port. This is the port that is actually listening on the host/server. The second port listed should be the mapped/public port.</P><P></P><P>So the NAT under the <STRONG>"object network websrv2"</STRONG> should be</P><P></P><P><STRONG>nat (to-nexus,Outside) static 100.100.100.100 service tcp https 8443</STRONG></P><P></P><P>Try that and see if it works.</P><P></P><P>Notice that you can use the <STRONG>"?"</STRONG> after the<STRONG> "tcp"</STRONG> section of that command which will list if the next expected value is the real/local port or the mapped/public port.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 16 Dec 2013 19:41:25 GMT https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363006#M307038 Jouni Forss 2013-12-16T19:41:25Z https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363007#M307039 <HTML><HEAD></HEAD><BODY><P>Thanks for pointing that out, thats worked. !!!</P></BODY></HTML> Mon, 16 Dec 2013 20:15:13 GMT https://community.cisco.com/t5/network-security/port-redirection-using-the-same-public-ip/m-p/2363007#M307039 sandevsingh 2013-12-16T20:15:13Z