cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2513
Views
0
Helpful
5
Replies

ASA 5506-X PAT,NAT,ACL Single Public IP

Ryeloc
Level 1
Level 1

I'm having a confusing moment configuring static NAT with a Single IP address.

I want to allow TCP-1723 traffic through to a server on the inside interface, while using a single IP address for this static NAT and PAT from inside to outside. 

 

So for starters I'm using

nat (inside,outside) source dynamic any interface

 

This gets me up and running using PAT. Now I want to configure my internal server to allow the connections for a static TCP port inbound

 

object service TCP-1723

service tcp destination eq pptp

object network SERVER-1

host 10.1.1.10

object network WAN-2

host 1.1.1.2

nat (outside,inside) source static any any destination static WAN-2 SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp

ERROR: Address 1.1.1.2 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

 

That doesn't seem to work... so I went another route

 

object network SERVER-1

nat (inside,outside) static interface service tcp 1723 1723

 

access-list outside_access_in extended permit tcp any object SERVER-1 eq 1723

access-group outside_access_in in interface outside

 

The ASA seems to have accepted the commands and created a network object NAT rule.

 

I test, and nothing. I check my ACL and it has 0 hit counts. Not sure what the issue is here, I don't seem to have any issues when using a public IP address that's not assigned to my outside interface. For example, if I used 1.1.1.3/29. In my environment I only have a single public IP address so that's not going to be doable. 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Look out good example and explained well  :

 

https://www.packet6.com/configuring-nat-for-a-public-server-using-same-outside-interface/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the reply, I did find that same article and it doesn't work in my lab. That was the second option I did with the network object NAT policy. The packet is dropped at the Firewall by the global deny all ACL.

Ajay Saini
Level 7
Level 7

Hello,

 

The configuration looks okay. Can you please attach a packet-tracer output:

 

packet-tracer input outside tcp 4.2.2.2 3344 <outside interface IP> 1723 det

 

 

also, you would need to enable pptp inspection so that secondary channel for GRE can be opened dynamically by the Firewall.

 

HTH

AJ

Ajay,

 

I was able to get this figured out for the original nat. Instead of using the network object for my WAN-IP I just used the interface command instead. Example.

 

nat (outside,inside) source static any any destination static interface SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp

 

I still wasn't able to get it to work with the network object NAT policy but that's probably because I don't understand the network object NAT policies as much. I will rebuild the lab later today and send you the packet tracer outputs for the network object NAT.

Ryeloc
Level 1
Level 1

Sorry for the late reply, I ended up figuring this out. The reason I couldn't get it to work is because I needed to use my outside IP address. For that I had to use the "interface" command rather than the "object" command in the NAT line.

 

OLD: nat (outside,inside) source static any any destination static WAN-2 SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp

 

NEW: nat (outside,inside) source static any any destination static interface SERVER-1 service TCP-1723 TCP-1723 unidirectional no-proxy-arp

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: