Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
4
Replies

[ASA 9.2]1 pub ip address NAT & PAT to 2 internal

Go to solution
zon zon
Level 1
Level 1

‎12-20-2016 06:24 PM - edited ‎03-12-2019 01:41 AM

Hi Guys, I'm new to cisco asa hopefully this community is able to help me with this problem because i really running out of idea.

Question

Can we static NAT a public ip address to one internal ip address and only PAT one port of the public address to another internal ip?

Example:

Public address: 1.1.1.1

internal #1: 192.168.0.1

internal #2: 192.168.0.2

Target:

1) 1.1.1.1 is direct NAT to 192.168.0.1

2) 1.1.1.1:80 is PAT to 192.168.0.2:80

Code:

object network NAT_HOST1

host 192.168.0.1

nat (inside,outside) static 1.1.1.1

object network PAT_HOST2

host 192.168.0.2

nat(inside,outside) static 1.1.1.1 service tcp 80 80

Problem I'm facing:

1) Since ASA NAT rules on network object NAT have their auto ordering,"if same quantities ip is used, object with lower ip is process first".Means it will always process 192.168.0.1 and ignore the PAT for 192.168.0.2.

2) I tried to use asdm to add in the twice nat so that the rules will go first. But whenever i browse 1.1.1.1:80 its still keep going back to host 1.

3) i only able to browse to host 2 if i delete the NAT_HOST1

references:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html#wp1118157

Million thanks for the time to see my post guys. Very appreciate if anyone can help.

If you need more details just let me know :) and i'll get the details ASAP.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎12-20-2016 10:32 PM

Hello,

Can you please try below statements and let me know if that helps:

object network obj-1.1.1.1
host 1.1.1.1

hostname(config)# object service web-port

hostname(config-service-object)# service tcp source eq 80

nat (inside,outside) source static PAT_HOST2 obj-1.1.1.1 service web-port web-port

The idea is to create a high priority static pat statement on top of static nat statement so that port 80 mapping is given preference. 

The above nat statement is a twice nat statement created for static pat for host 192.168.0.2.

Once done, you can remove the below statement 

object network PAT_HOST2

host 192.168.0.2

nat(inside,outside) static 1.1.1.1 service tcp 80 80

Effectively, you will have 2 statements:

nat (inside,outside) source static PAT_HOST2 obj-1.1.1.1 service web-port web-port

object network NAT_HOST1

host 192.168.0.1

nat (inside,outside) static 1.1.1.1

HTH-

AJ

View solution in original post

0 Helpful
4 Replies 4

Go to solution
MANI .P
Level 1
Level 1

‎12-20-2016 07:52 PM

Hi ,

  In this case can you please use twice nat for web server and to make the order at line 1 .

Thanks ,

Mani 

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7

‎12-20-2016 10:32 PM

Hello,

Can you please try below statements and let me know if that helps:

object network obj-1.1.1.1
host 1.1.1.1

hostname(config)# object service web-port

hostname(config-service-object)# service tcp source eq 80

nat (inside,outside) source static PAT_HOST2 obj-1.1.1.1 service web-port web-port

The idea is to create a high priority static pat statement on top of static nat statement so that port 80 mapping is given preference. 

The above nat statement is a twice nat statement created for static pat for host 192.168.0.2.

Once done, you can remove the below statement 

object network PAT_HOST2

host 192.168.0.2

nat(inside,outside) static 1.1.1.1 service tcp 80 80

Effectively, you will have 2 statements:

nat (inside,outside) source static PAT_HOST2 obj-1.1.1.1 service web-port web-port

object network NAT_HOST1

host 192.168.0.1

nat (inside,outside) static 1.1.1.1

HTH-

AJ

0 Helpful

Go to solution
zon zon
Level 1
Level 1
In response to Ajay Saini

‎12-21-2016 12:11 AM

Thanks man!!! love you !!

It finally work, I went to the ASDM and observe what is different from my old twice NAT configuration. ( i know the one i posted is object network nat)

I saw that the only different is on the "translated destination port" on web-port

Working(yours) = from (source) tcp 80 to (destination) default (1-65535)

Not working(mine) = from tcp (source)80 to (destination)80

Do you have any idea on why? 

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to zon zon

‎12-21-2016 12:54 AM

Glad I could help.

For the service type, you have to select the source port only since that is where we need the port 80 open. The destination port here would mean for the user who would initiate traffic from outside world and we can not control the port which user will use to initiate the connection. 

Mainly the user port will be a random port higher than 1024.

If you are looking for service object usage, please refer to below link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html#78961

HTH

-

AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card