topic Static Nate Rule in Network Security

Static Nate Rule

KennyAlsic — Mon, 11 Mar 2019 17:54:25 GMT

Dear,

When I try to add a second item to the source of a static nat rule, it replaces the original source item. Even if I try to add an extra static nat rule with a different source natted to the same destination IP, it asks me to replace the original rule.

I also tried to expand the source from one ip to /24 network but in this case I get an error the subnetmask of source and destination (/32) are not equal.

Any idea how I can allow two source ip addresses translated to one Ipadress over one interface?

The firewall is a Cisco ASA5520 running software version 8.0(3)

Any help really appreciated.

Kind regards,

Kenny

Re: Static Nate Rule

Federico Coto Fajardo — Thu, 03 Jun 2010 13:23:33 GMT

Kenny,

You cannot translate the same internal IP address to two different IP address statically, for example, the below command won't work:

static (in,out) 200.1.1.1 10.1.1.1

static (in,out) 200.1.1.2 10.1.1.1 --> you will get an overlapping error here

The reason it does not work is because the ASA won't know to which address translate 10.1.1.1 (because you have two static rules).

What you can do though is use static PAT:

static (in,out) tcp 200.1.1.1 80 10.1.1.1 80

static (in,out) tcp 200.1.1.2 25 10.1.1.1 25

The first line you're translating the internal 10.1.1.1 to 200.1.1.1 when using TCP port 80

The second line you're translating the same internal 10.1.1.1 to 200.1.1.2 when using TCP port 25... and so on...

Let me know if it helps.

Federico.

Re: Static Nate Rule

KennyAlsic — Thu, 03 Jun 2010 13:34:05 GMT

Federico,

Thanks for the quick reply, but that was not the thing I am looking for ... maybe my question was not clear. Here it comes again:

I need to translate two different internal ipaddresses to another ipaddress.

Kind regards,

Kenny

Re: Static Nate Rule

Federico Coto Fajardo — Thu, 03 Jun 2010 13:56:50 GMT

Kenny,

Sorry for the misunderstanding, but the same rule applies.

You cannot translate two different internal IP addresses to the same outside IP adress statically (only using STATIC PAT)

Normally this is desired when say, you have two internal servers and one listens on one port and the other one on a different port and you want to map them both to the same outside IP.

This can be done with static PAT.

Federico.