I have a strange problem with some NAT rules.
Cisco Adaptive Security Appliance Software Version 8.0(5)9
Device Manager Version 6.2(5)
We have a machine which is connected in a DMZ and then external clients talk to the machine.
Due to historical reasons most of the clients talk to the machine on port 13002. However internally this is translated according to the source address to a different port number.
This is currently running on a watchguard firewall and works correctly.
We have tried programming this onto a cisco firewall and are coming up with some difficulties.
A static policy nat has been created using the source as the internal address of the machine, and the destination as the external addresses that we are dealing with. It translates to the REAL address of the machine and then pats to the new port number.
This works fine with the first one we put in - doing a packet trace reveals all the addresses and ports being translated correctly.
The problem occurs when we add the second set into this. For this set we just change the destination and the port number.
The firewall accepts the rule with a warning and everything looks fine.
However when you test the rule the port is always translated to the port specified in the first section and not the one requested.
The screenshot below (large) shows the rules and a packet trace to an address in the set2 group.
Extract of config as requested.
object-group network orion_nat_15
network-object 18.104.22.168 255.255.255.255
object-group network orion_nat_17
network-object 22.214.171.124 255.255.255.255
object-group network LIVEEXAG_gocompare_set1
network-object 126.96.36.199 255.255.255.255
object-group network LIVEEXAG_gocompare_set2
description There are two sets of IPs for gocompare used on different rule sets.......
network-object 188.8.131.52 255.255.255.255
static (DMZ,External) tcp 184.108.40.206 13002 access-list DMZ_nat_static_1
access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set1 object-group orion_nat_15 eq 13002
access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set2 object-group orion_nat_15 eq 13002
access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set1 object-group orion_nat_15 eq 13202
access-list CSM_FW_ACL_External extended permit tcp object-group LIVEEXAG_gocompare_set2 object-group orion_nat_15 eq 13202
access-list DMZ_nat_static_1 extended permit tcp host 172.20.0.15 eq 13102 object-group LIVEEXAG_gocompare_set1
access-list DMZ_nat_static_1 extended permit tcp host 172.20.0.15 eq 13202 object-group LIVEEXAG_gocompare_set2
This is working as designed. The warning message you saw is correct. This is overlapping.
Which ever one hits first and continues to see traffic is the one that will work. The other will break.
This is the same as doing the following: overlapping.
static (DMZ,External) tcp 220.127.116.11 13002 172.20.0.15 13102
static (DMZ,External) tcp 18.104.22.168 13002 172.20.0.15 13202