https://community.cisco.com/t5/network-security/static-policy-nat-rule-problem/m-p/1373733#M735591 <HTML><HEAD></HEAD><BODY><P>What you need is Static PAT. Take a look at the Cmd ref for the ASA.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075</A></P><P></P><P>This allows you to use the same mapped (translated) address for multiple statics statements.</P><P></P><P>The problem I see here in your example and might be why your getting an overlap error, is the translated port in PAT must always be unique.</P><P></P><P>Also bear in mind that if the translated address is the address of you external interface then you need to use the 'Interface' keyword instead of the ip.</P><P></P><P>If you are still having an issue let me know and i'll see if I can put the cli config together for you to test.</P><P></P><P>Stu</P></BODY></HTML> Tue, 09 Mar 2010 20:01:30 GMT stuart 2010-03-09T20:01:30Z https://community.cisco.com/t5/network-security/static-policy-nat-rule-problem/m-p/1373732#M735582 <P>I'm trying to create a NAT rule that exists on our decommissioned Watchguard firewall but which I can't seem to create on the new Cisco ASA. The rule is as follows:</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <SPAN style="text-decoration: underline;">Internal IP Add</SPAN>&nbsp; <SPAN style="text-decoration: underline;">Port</SPAN>&nbsp;&nbsp;&nbsp;&nbsp; <SPAN style="text-decoration: underline;">NAT Address</SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <SPAN style="text-decoration: underline;">Destination IP Add</SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <SPAN style="text-decoration: underline;">Port </SPAN></P><P>Rule1: 192.168.10.13&nbsp;&nbsp; 13001&nbsp; 195.216.165.243&nbsp; 161.20.1.1 to 161.20.2.1&nbsp;&nbsp; 12001</P><P>Rule2: 192.168.10.13&nbsp;&nbsp; 14002&nbsp; 195.216.165.243&nbsp; 171.10.3.1 to 171.10.5.1&nbsp;&nbsp; 12001</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>RULE-1 Static Policy NAT Rule:</STRONG></SPAN></P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Original</STRONG></SPAN></P><P>Interface: DMZ</P><P>Source Address: 192.168.10.13</P><P>Destination Address: 161.20.1.1 to 161.20.2.1 (<STRONG>RULE1_OG</STRONG> object group for clarity)</P><P><SPAN style="text-decoration: underline;"><STRONG>Translated</STRONG></SPAN></P><P>Interface: External</P><P>Use IP Address: 195.216.165.243</P><P><STRONG style="text-decoration: underline; ">Port Address Translation</STRONG></P><P>Original Port: 13001</P><P>Translated Port: 12001</P><P></P><P><STRONG style="text-decoration: underline; ">RULE-2 Static Policy NAT Rule:</STRONG></P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Original</STRONG></SPAN></P><P>Interface: DMZ</P><P>Source Address: 192.168.10.13</P><P>Destination Address: 171.10.3.1 to 171.10.5.1 (<STRONG>RULE1_OG</STRONG> object group for clarity)</P><P><SPAN style="text-decoration: underline;"><STRONG>Translated</STRONG></SPAN></P><P>Interface: External</P><P>Use IP Address: 195.216.165.243</P><P><STRONG style="text-decoration: underline; ">Port Address Translation</STRONG></P><P>Original Port: 14002</P><P>Translated Port: 12001</P><P></P><P>I thought i could use a Static Policy NAT Rule in ASDM. I can create RULE-1 ok, but when i create RULE-2, it overlaps with RULE-1 and while it does add it into the configuration(with warnings) when i test the rules the ASA always translates the ports as per Rule-1 whether destination address is RULE1_OG or RULE2_OG.</P><P></P><P>Does anyone have any idea how I can do this?</P> Mon, 11 Mar 2019 17:19:05 GMT https://community.cisco.com/t5/network-security/static-policy-nat-rule-problem/m-p/1373732#M735582 bgl-group 2019-03-11T17:19:05Z https://community.cisco.com/t5/network-security/static-policy-nat-rule-problem/m-p/1373733#M735591 <HTML><HEAD></HEAD><BODY><P>What you need is Static PAT. Take a look at the Cmd ref for the ASA.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075</A></P><P></P><P>This allows you to use the same mapped (translated) address for multiple statics statements.</P><P></P><P>The problem I see here in your example and might be why your getting an overlap error, is the translated port in PAT must always be unique.</P><P></P><P>Also bear in mind that if the translated address is the address of you external interface then you need to use the 'Interface' keyword instead of the ip.</P><P></P><P>If you are still having an issue let me know and i'll see if I can put the cli config together for you to test.</P><P></P><P>Stu</P></BODY></HTML> Tue, 09 Mar 2010 20:01:30 GMT https://community.cisco.com/t5/network-security/static-policy-nat-rule-problem/m-p/1373733#M735591 stuart 2010-03-09T20:01:30Z https://community.cisco.com/t5/network-security/static-policy-nat-rule-problem/m-p/1373734#M735602 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Is interesting because if I apply the same concept via CLI:</P><P></P><P>access-list test1 permit tcp host 192.168.10.13 eq 13001 object-group RULE1_OG eq 12001<BR />static (inside,outside) tcp 195.216.165.243 12001 access-list test1 13001</P><P></P><P>access-list test2 permit tcp host 192.168.10.13 eq 14002 object-group RULE1_OG eq 12001<BR />static (inside,outside) tcp 195.216.165.243 12001 access-list test1 13001</P><P></P><P>With the Object Groups defined... I get the same overlapping error...</P><P></P><P>I think that because you're mapping statically the same source IP to the same NATed IP using the same destination port that's where you get the error.</P><P></P><P>Federico.</P></BODY></HTML> Tue, 09 Mar 2010 20:05:35 GMT https://community.cisco.com/t5/network-security/static-policy-nat-rule-problem/m-p/1373734#M735602 Federico Coto Fajardo 2010-03-09T20:05:35Z