Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
10
Replies

Cisco ASA 5520 NAT/PAT for inbound ports

Go to solution
jthombs1016
Level 1
Level 1

‎12-21-2015 08:26 AM - edited ‎03-12-2019 12:03 AM

I am  trying  to PAT some  ports  from the Internet to  two  Internal address  addresses  but I am not having much success.

 Below  is  Rules have added to ASA

My Outside2  Interface x.x.x.202  and my  external IP server is x.x.x.203  My internal server is  10.96.1.101 and .5

Will the below statement work ?


NAT
static (outside2,inside) tcp 10.96.1.5 https x.x.x.203 8181 netmask 255.255.255.255
static (outside2,inside) tcp 10.96.1.101 3389 x.x.x.203 28111 netmask 255.255.255.255
static (outside2,inside) tcp 10.96.1.101 10050 x1x.x.203 10050 netmask 255.255.255.255
Rules
access-list inside_in extended permit tcp any eq 28111 host 10.96.1.101 eq 3389 log
access-list inside_in extended permit tcp any eq 10050 host 10.96.1.101 eq 10050 log
access-list inside_in extended permit tcp any eq 8181 host 10.96.1.5 eq https log

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to jthombs1016

‎12-21-2015 09:24 AM

Can you run another packet tracer, expand all the steps and post it?

View solution in original post

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to jthombs1016

‎12-21-2015 09:35 AM

Your IP's are backwards in the NAT statement. Mapped IP comes first.

nat (inside,outside2) tcp x.x.x.3 28111 10.96.1.101 443

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-21-2015 08:50 AM

Try swapping your interfaces-

static (inside,outside2) tcp x.x.x.203 8181 10.96.1.5 443 netmask 255.255.255.255

Your ACL's should have the mapped IP, not the real IP in them. You should not specify a source port either (unless you know that it will always use that port).

access-list inside_in extended permit tcp any host x.x.x.203 eq 443 log

HTH

0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Collin Clark

‎12-21-2015 09:13 AM

Thanks  Swapped around and changed the ACL  its still not working.  packet tracer  give an error 

at the last  item 

Preview file
65 KB
0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to jthombs1016

‎12-21-2015 09:19 AM

Do you already have an 'outside' interface that has your default gateway and this is a backup connection?

0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Collin Clark

‎12-21-2015 09:21 AM

Outside is  disabled

Outside2 is the gateway

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to jthombs1016

‎12-21-2015 09:24 AM

Can you run another packet tracer, expand all the steps and post it?

0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Collin Clark

‎12-21-2015 09:30 AM

uploaded

Preview file
210 KB
0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to jthombs1016

‎12-21-2015 09:35 AM

Your IP's are backwards in the NAT statement. Mapped IP comes first.

nat (inside,outside2) tcp x.x.x.3 28111 10.96.1.101 443

0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Collin Clark

‎12-21-2015 09:48 AM

should I use the static command or NAT command ?

0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Collin Clark

‎12-21-2015 09:39 AM

Sorry clicked the wrong button.

would this be the issue, I am nating everything  outbound  on a global net ?

global (outside2) 20 interface

0 Helpful

Go to solution
jthombs1016
Level 1
Level 1
In response to Collin Clark

‎12-21-2015 09:16 AM

Also seeing this error is  "cisco asa no valid adjacency"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card