08-06-2010 01:20 PM - edited 03-11-2019 11:22 AM
Hi All,
After battling with, and eventually learning from the ASA 8.3 NAT configuration, I have stumbled over another hurdle which is causing me some confusion.
I have PAT working quite well for one host. That is, OUTSIDE:2202 ---> INSIDE_HOST:2202. See below for config.
I'm running ASA 8.3.(2) and ASDM 6.2.(3) on a ASA 5505
!
object network LXSERVER
host 10.2.2.2
!
access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202
!
object network LXSERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh 2202
This is all working like a dream but when I tried to add another static NAT rule from the outside interface to the same host on a different port, the new rule overwrote the old one.
!
object network LXSERVER
nat (DMZ,OUTSIDE) static interface service tcp ftp 2121
!
So, my question is, how do I configure multiple static PATs for one internal host from the OUTSIDE inteface.
Please note that I have only a single public IP address which is received via DHCP.
Solved! Go to Solution.
08-06-2010 02:51 PM
You need to create a new object for each static pat or it will overwrite. You can have the same host each object though. Just call the object with a diff. name. You need as many objects as there are going to be static PATs.
You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129
8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324
-KS
08-06-2010 02:43 PM
Here is an example. I hope this is what you are trying to accomplish:
object service FTP_PASV_PORT_RANGE
service tcp source range 65000 65004
object network HOST_FTP_SERVER
host 192.168.10.100
nat (Inside,outside) source static HOST_FTP_SERVER interface service
FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE
ciscoasa(config)# sh xlate
1 in use, 6 most used
TCP PAT from Inside:HOST_FTP_SERVER 65000-65004 to outside:10.10.10.1
65000-65004 flags sr idle 47:51:27 timeout 0:00:00
-KS
08-06-2010 02:48 PM
Hi KS,
Thanks for the help, althouh it is not entirely what I am after, although I think it will work for what I am after temporarily.
What I was looking for was to use a discontiguous port range, i.e.
2202 --> 22
2121 --> 21
8080 --> 80
4443 --> 443
etc etc.
Cheers,
Conor
08-06-2010 02:51 PM
You need to create a new object for each static pat or it will overwrite. You can have the same host each object though. Just call the object with a diff. name. You need as many objects as there are going to be static PATs.
You may find these links useful: https://supportforums.cisco.com/docs/DOC-9129
8.3 nat video: https://supportforums.cisco.com/docs/DOC-12324
-KS
08-06-2010 02:53 PM
Cheers for that KS, I had feared that was the solution.
Thanks for your help.
Cheers,
Conor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide