PAT with different default gateway

yolo230985 — Mon, 11 Mar 2019 17:07:46 GMT

Hi I have a Windows XP client with IP 192.168.1.10/24 and as default gateway a router 192.168.1.1

I have assigned a second IP address on the XP: 192.168.2.10/24.

And I have installed an ASA:

interface Ethernet0/0
nameif Outside
security-level 0
ip address xxx.xxx.xxx.1 255.255.255.0 !
interface Ethernet0/1
nameif Inside
security-level 50
ip address 192.168.2.1 255.255.255.0

I try to do a static port forwarding:

access-list Outside_to_Inside extended permit ip any any

nat-control
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xxx.xxx.xxx.10 www 192.168.2.10 www netmask
255.255.255.255

access-group Outside_to_Inside in interface Outside

Should the translation work without changing the default gateway of the XP to ASA (192.168.2.1)?

In my case the translation does not work so far:

sh nat
   match tcp Inside host 192.168.2.10 eq 80 Outside any
      static translation to xxx.xxx.xxx.xxx/80
     translate_hits = 0, untranslate_hits = 2

Any help would be much appreciated.

Re: PAT with different default gateway

Matthew Warrick — Thu, 11 Feb 2010 15:17:54 GMT

Based on what you wrote the Windows XP host probably has a default route for all 0.0.0.0 networks via its 192.168.10.1 gateway.

You can inspect this by doing a:

netstat -nr from a command prompt.

In order for the responses to egress the proper interface on the XP client you will need the 0.0.0.0 route to point to the 192.168.20.1 gateway.

You can delete and readd the 10 network interface on the client so the 20 network becomes the default or manually delete the default route and add a persistent static route via the 20 interface. Remember to use the -p switch on the route command if you want it to remain persistent across reboots.

topic Re: PAT with different default gateway in Network Security

PAT with different default gateway

Re: PAT with different default gateway