topic ASA 5510 NAT issue in Network Security

ASA 5510 NAT issue

Kilgore8086 — Tue, 12 Mar 2019 02:51:22 GMT

Hi,

We're in the process of transisitioning our exchange server and have everything setup and working.

I've changed the IP address on the ASA to the new server, just changed the 3 rules which were already inplace but got an error on the 2 NAT object rules saying there was an overlap between the external interface.

I've tried a restore to before I made the changes but it doesn't correct anything. I can see these in the original config but aren't in the new one.

object network ExchHTTP

nat (Internal_Interface,External_interface) static interface service tcp www www

object network ExchSMTP

nat (

Internal_Interface,External_interface) static interface service tcp smtp smtp

Everything else in the config is the same but when I try to add these (via the GUI because I'm a cisco Noob) I get an overlap error.

Why is the restore not adding them or how can I manually add them?

Thanks in advance

ASA 5510 NAT issue

Jouni Forss — Sat, 12 Oct 2013 13:02:01 GMT

Hi,

You mention that you are migrating/transitioning to a new server and that you are creating NAT rules for the new Exchange server? You also mention that you get an error message of overlap with the NAT rules.

The above would seem to me to suggest that you still have similiar Static PAT (Port Forward) configurations perhaps for the original server from which you are migrating/transitioning?

If this is true then naturally you can only have Static PAT configured for WWW and SMTP for one of those servers if your are planning to use the "External_interface" IP address as specified in the "nat" command with the "interface" parameter.

To confirm this you could take the CLI format output of the command

show run nat

You can do this through the ASDM GUI also. Just go to Tools -> Command Line Interface -> Enter the above command -> Send it to the device -> Copy/Paste the output here (except any possible public IP address information, replace those with something else)

- Jouni

ASA 5510 NAT issue

Kilgore8086 — Sat, 12 Oct 2013 13:07:23 GMT

Hi,

Thanks for the reply, I've managed to sort it.

I wasn't trying to add more rules just change the existing ones and before I'd done it I recieved the error message.

I've created the nat agian pointing to the new server from the command line and it's all working. Still not sure why it wouldn't let me do it through the GUI but doesn't matter now as it's working.

Thanks

ASA 5510 NAT issue

Jouni Forss — Sat, 12 Oct 2013 13:22:52 GMT

Hi,

Unless you have already already enabled the setting on the ASDM GUI I would suggest you go to

Tools -> Preferences -> Check the box - Preview commands before sending them to the device

This will have the ASDM GUI show you the CLI format of the configuration that you are about to enter to the device before you do it.

I am also not sure what problem has been. Good to hear that its sorted now though

- Jouni