https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278100#M858484 <HTML><HEAD></HEAD><BODY><P>Err you are trying to input;-</P><P>static (inside,dmz) tcp interface 8013 10.144.100.92 8002</P><P></P><P>BUT you already have in your config:-</P><P>static (inside,dmz) tcp interface 8000 10.144.100.92 8002 netmask 255.255.255.255 </P><P></P><P>AFAIK - you cannot have 2 statements that define a different source port - but have the same desintation port...I may be wrong.</P><P></P><P>HTH&gt;</P><P></P></BODY></HTML> Wed, 22 Jul 2009 11:22:46 GMT andrew.prince 2009-07-22T11:22:46Z https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278099#M858483 <P>Guy's, can any one shed some light on this please?</P><P></P><P>I am trying to replace a gnat box with a cisco PIX but it would appear that the Pix can not perform what the Gnat Box does.</P><P></P><P>We have PAT mapping multiple different external/translate ports to the same server on the same original port. Cisco will not allow this? Why?</P><P></P><P>I can understand you not being able to map the same translate ports to multiple original ports as the device would not know which statement to choose. However the other way round should work as this is what we have configured on the Gnat box device. In theory it should work too?</P><P></P><P>Any help would be immenseley appreciated on this as I'm know wondering whether the PIX is not up to the job for this type of advanced PAT work.</P><P></P><P>Statement that conflicts;</P><P></P><P>CISCLNFW1(config)# static (inside,dmz) tcp interface 8013 10.144.100.92 8002 n$</P><P>ERROR: duplicate of existing static</P><P> TCP inside:10.144.100.92/8002 to dmz:192.168.0.21/8000 netmask 255.255.255.255</P><P>Usage: [no] static [(real_ifc, mapped_ifc)]</P><P> {&lt;mapped_ip&gt;|interface}</P><P> {&lt;real_ip&gt; [netmask &lt;mask&gt;]} | {access-list &lt;acl_name&gt;}</P><P> [dns]</P><P> [[tcp] &lt;max_conns&gt; [&lt;emb_lim&gt; [&lt;norandomseq&gt; [nailed]]]]</P><P> [udp &lt;max_conns&gt;]</P><P> [no] static [(real_ifc, mapped_ifc)] {tcp|udp}</P><P> {&lt;mapped_ip&gt;|interface} &lt;mapped_port&gt;</P><P> {&lt;real_ip&gt; &lt;real_port&gt; [netmask &lt;mask&gt;]} |</P><P> {access-list &lt;acl_name&gt;}</P><P> [dns]</P><P> [[tcp] &lt;max_conns&gt; [&lt;emb_lim&gt; [&lt;norandomseq&gt; [nailed]]]]</P><P> [udp &lt;max_conns&gt;]</P><P> show running-config [all] static [&lt;mapped_ip&gt;]</P><P> clear configure static</P><P></P><P></P><P></P><P></P><P>nat-control</P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>nat (dmz) 0 access-list dmz_nat0_outbound outside</P><P>static (inside,dmz) tcp interface 8000 10.144.100.92 8002 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface pop3 10.144.100.77 pop3 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface smtp 10.144.100.77 smtp netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 8001 10.144.100.74 8001 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5002 10.144.100.74 5002 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5007 10.144.100.74 5007 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5006 10.144.100.74 5006 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5005 10.144.100.74 5005 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5004 10.144.100.74 5004 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5001 10.144.100.74 5001 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5003 10.144.100.77 5003 netmask 255.255.255.255</P><P>static (inside,dmz) tcp interface 5000 10.144.100.74 5000 netmask 255.255.255.255</P><P>static (inside,dmz) tcp 192.168.0.10 9000 10.144.100.70 7000 netmask 255.255.255.255</P><P>static (dmz,outside) liswww2_ext 192.168.0.23 netmask 255.255.255.255</P><P>static (dmz,outside) interface dmzwww netmask 255.255.255.255</P><P>static (dmz,inside) 10.144.100.74 192.168.0.21 netmask 255.255.255.255</P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_in in interface inside</P><P>access-group dmz_access_in in interface dmz</P><P></P> Wed, 13 Mar 2019 00:59:23 GMT https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278099#M858483 ccannon88567 2019-03-13T00:59:23Z https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278100#M858484 <HTML><HEAD></HEAD><BODY><P>Err you are trying to input;-</P><P>static (inside,dmz) tcp interface 8013 10.144.100.92 8002</P><P></P><P>BUT you already have in your config:-</P><P>static (inside,dmz) tcp interface 8000 10.144.100.92 8002 netmask 255.255.255.255 </P><P></P><P>AFAIK - you cannot have 2 statements that define a different source port - but have the same desintation port...I may be wrong.</P><P></P><P>HTH&gt;</P><P></P></BODY></HTML> Wed, 22 Jul 2009 11:22:46 GMT https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278100#M858484 andrew.prince 2009-07-22T11:22:46Z https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278101#M858486 <HTML><HEAD></HEAD><BODY><P>Andrew, it's something I have not seen before but it is definately in place on the existing solution.</P><P></P><P>Can anyone else please advise? Will an ASA perform this if not the PIX?</P><P></P><P>It is on an existing config of the gnat box, I'm shocked that Cisco PIX does not support this.</P><P></P><P>In theory it should work fine?</P><P></P><P>Help needed! </P></BODY></HTML> Wed, 22 Jul 2009 11:47:33 GMT https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278101#M858486 ccannon88567 2009-07-22T11:47:33Z https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278102#M858488 <HTML><HEAD></HEAD><BODY><P>I tried to out this in my lab pix 525 and ASA5510 and both devices returned the same error:-</P><P></P><P>pixfirewall(config)# static (inside,dmz) tcp interface 8013 10.144.100.92 8002$</P><P>ERROR: duplicate of existing static</P><P> TCP inside:10.144.100.92/8002 to dmz:192.168.0.254/8000 netmask 255.255.255.255</P><P></P><P>But when I added:-</P><P>pixfirewall(config)#</P><P>pixfirewall(config)# static (inside,dmz) tcp interface 8013 10.144.100.92 8003 netmask 255.255.255.255</P><P>pixfirewall(config)#</P><P></P><P>So I tried something differnet:-</P><P></P><P>static (inside,dmz) tcp interface 8000 10.144.100.77 pop3 netmask 255.255.255.255</P><P></P><P>and recevied the error:-</P><P>pixfirewall(config)# static (inside,dmz) tcp interface 8000 10.144.100.77 pop3$</P><P>ERROR: mapped-address conflict with existing static</P><P> TCP inside:10.144.100.92/8002 to dmz:192.168.0.254/8000 netmask 255.255.255.255</P><P></P><P></P><P>Conclusion - Multiple configs of tcp src/dst ports is not permitted - even to differenet backend servers.</P><P></P><P>HTH&gt;</P></BODY></HTML> Wed, 22 Jul 2009 12:02:24 GMT https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278102#M858488 andrew.prince 2009-07-22T12:02:24Z https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278103#M858492 <HTML><HEAD></HEAD><BODY><P>Andrew, thanks your help on on investigating this matter.</P><P></P><P>I have found a solution in the form of Policy NAT and thought that you would be interested.</P><P></P><P>Policy NAT enables you to map otherwise overlapping conflicts through normal statements (please note that it will not allow you to overlap "translated ports" only original to the same server as it would be impossible for the device to route the traffic).</P><P></P><P>Here's how;</P><P></P><P>access-list Policy_NAT_1 extended permit tcp host 10.0.0.1 eq 8000</P><P></P><P>access-list Policy_NAT_2 extended permit tcp host 10.0.0.1 eq 8000</P><P></P><P>static (inside,outside) tcp 62.62.62.1 8013 access-list Policy_NAT_1</P><P></P><P>static (inside,outside) tcp 62.62.62.1 8012 access-list Policy_NAT_2</P><P></P><P>Hey presto - 2 different ports mapped to the same inside server and to the same original port <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P><P></P><P>Just make sure that your ACL's have different names even though they state the same thing. </P><P></P><P>Carlton</P></BODY></HTML> Thu, 23 Jul 2009 14:52:51 GMT https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278103#M858492 ccannon88567 2009-07-23T14:52:51Z https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278104#M858494 <HTML><HEAD></HEAD><BODY><P>LOL!</P><P></P><P>I had found roughly the same thing, in a head scratching moment after my post on my first test lab!</P><P></P><P>5 pts for posting first.</P></BODY></HTML> Thu, 23 Jul 2009 14:57:36 GMT https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278104#M858494 andrew.prince 2009-07-23T14:57:36Z https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278105#M858496 <HTML><HEAD></HEAD><BODY><P>Thanks Andrew!</P><P></P><P>5 pts for effort - setting up a lab to help me out of a tricky situation! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Thu, 23 Jul 2009 19:52:12 GMT https://community.cisco.com/t5/network-security/pat-not-compatible-for-multiple-mappings/m-p/1278105#M858496 ccannon88567 2009-07-23T19:52:12Z