Re: ASA - Can you Static NAT and Static PAT using the same Outsi

anowell · ‎03-02-2014

Here are the commands in question...

static (dmz,outside) udp 24.199.55.33 7001 10.0.13.253 7001 netmask 255.255.255.255

static (inside,outside) 24.199.55.33 10.0.0.28 netmask 255.255.255.255

Can I have users on the "outside" use UDP 7001 and translate them to 10.0.13.253 (dmz) and at the same time have any other ports be translated to

10.0.0.28 (inside)?

Thank you very much!!

Jouni Forss · ‎03-02-2014

Hi,

I guess it comes down to if the ASA accept both of these commands on it at the same time. I don't have the opportunity to test this at the moment.

If the ASA accept both of these commands then you would have to make sure that the Static PAT is first in the configuration and then the Static NAT so that the Static PAT will get matched first and only then the Static NAT.

I would persume that the ASA will either prevent entering second command OR the ASA will acecpt both commands but produce the normal error/warning message of the configuration overlap (even though it works)

- Jouni

anowell · ‎03-03-2014

Thank you for the reply!

The ASA takes both commands and the static PAT command is positioned first yet the static NAT command is the only one that is ever hit. Any other ideas?

Thanks again!!

Jouni Forss · ‎03-03-2014

Hi,

Can you provide a "packet-tracer" output for a packet that is supposed to match the Static PAT configurations

packet-tracer input outside udp 1.1.1.1 12345 7001

Remember to remove any real public IP addresses from the output.

Even though you said are you sure that the Static PAT configurations comes first in the CLI output of "show run static" compared to the Static NAT?

- Jouni

ASA - Can you Static NAT and Static PAT using the same Outside Global Address?