topic PAT interface address with static NAT port translation in Network Security

PAT interface address with static NAT port translation

ampowell — Mon, 11 Mar 2019 21:16:03 GMT

I have an 8.3(2) ASA with a single outside IP. Dynamic PAT translates inside addresses to the outside interface address. I would like to use static NAT with port translation to access an inside syslog server. I got an error when I tried using the outside interface address. Can I use both dynamic PAT and Port Translation with the same outside address?

This is what I would like to use but I receive an error saying there is an overlap using the outside interface address. Is there a different way to accomplish this?

(192.168.1.0 is my inside network. 10.10.1.10 is the outside interface IP.)

object network inside-net

subnet 192.168.1.0 255.255.255.0

nat (inside, outside) dynamic interface

object network SYSLOG_SERVER

host 192.168.1.50

nat (inside,outside) static 10.10.1.10 service tcp ssh ssh

PAT interface address with static NAT port translation

varrao — Wed, 24 Aug 2011 07:21:01 GMT

Hi,

Well the logic that you understand is perfecctly correct, you can use dynamic pat and statric port forwarding for the same public ip. Reason being, whenever users go to the internet using dynamic pat, they use the ports greater than 1200 or 1500 (not really sure about the exact number) to go to the internet, which means well known ports are not used.

So you can do static port forwarding for the well known ports.

Now coming onto your scenario, there might be some other conflicting nat statement, so can you provide the output of "show run nat" from the firewall?

I would need to go through it to analyze the reason for it.

Hope this helps.

Thanks,

Varun

PAT interface address with static NAT port translation

ampowell — Wed, 24 Aug 2011 14:54:08 GMT

This is my response attempting to add the object network SYSLOG_SERVER commands.

ERROR: Address 10.10.1.10 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

asatest(config)# show run nat

object network inside-net

nat (inside,outside) dynamic interface

asatest(config)#

asatest(config)# show run int

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 10.10.1.10 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

asatest(config)#

PAT interface address with static NAT port translation

varrao — Wed, 24 Aug 2011 15:29:55 GMT

Hi,

You need to try this nat:

object network SYSLOG_SERVER

host 192.168.1.50

object service tcp_ssh

service tcp destination eq 22

nat (outside,inside) source static any any destination statinc interface SYSLOG_SERVER service tcp_ssh tcp_ssh

Actually for the interface ip address, you would not be able to craete an object network, because you already have an "interface" keyword for it.

Hope this resolves your query

Thanks,

Varun

PAT interface address with static NAT port translation

varrao — Wed, 24 Aug 2011 15:39:46 GMT

You can also use this:

object network SYSLOG_SERVER

host 192.168.1.50

nat (inside,outside) static interface service tcp ssh ssh

Both the nat statements are the same.

Thanks,

Varun

PAT interface address with static NAT port translation

ampowell — Wed, 24 Aug 2011 16:21:25 GMT

Both solutions work. The second with the interface keyword is what I was missing.

Thanks,

Ann

PAT interface address with static NAT port translation

varrao — Wed, 24 Aug 2011 16:22:59 GMT

Hi Ann,

Glad it worked for you, I guess you can now mark this thread as answered.

-Varun