Cisco ASA 8.6 - Static PAT with same Public IP

abhisar patil · ‎01-15-2014

Dear Team,

Please help me to configure static PAT with same Public IP. I did some configuration but did not worked.

Public IP - 1.1.1.1

Private IP1 - 192.168.1.10 Port http

Private IP1 - 192.168.1.20 Port SMTP

Configuration -

***********************************************

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.1.10

host 192.168.1.10

object network obj-1.1.1.1

host 1.1.1.1

object service HTTP

service tcp source eq http

object service SMTP

service tcp source eq SMTP

***********************************************

nat (inside,outside) source static obj-192.168.1.10 obj-1.1.1.1 service HTTP HTTP

nat (inside,outside) source static obj-192.168.1.20 obj-1.1.1.1 service SMTP SMTP

***********************************************

acces-list outside extended permit tcp any host 192.168.1.10 eq http

***********************************************

Thank You,

Abhisar.

pubhanda · ‎01-15-2014

Hi Abhisar,

This would be the configuration which would help you in solving acheiving your requirement.

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.1.20

host 192.168.1.20

object network obj-1.1.1.1

host 1.1.1.1

object service HTTP

service tcp source eq http

object service SMTP

service tcp source eq SMTP

nat (inside,outside) source static obj-192.168.1.10 obj-1.1.1.1 service HTTP HTTP

nat (inside,outside) source static obj-192.168.1.20 obj-1.1.1.1 service SMTP SMTP

access-list outside extended permit tcp any host 192.168.1.10 eq http

access-list outside extended permit tcp any host 192.168.1.20 eq smtp

The above access-list "outside" should be applied to the outside interface with the help of following command:

access-group outside in interface outisde

Thank you,

Pulkit Bhandari

abhisar patil · ‎01-15-2014

Dear Pulkit,

Thank you for your reply. I have applied that access-group, I did not pasted here. I want to know about nat configuration if it is correct or not?

Thank You,

Abhisar.

pubhanda · ‎01-15-2014

Hi Abhisar,

Yes, i did checked the configuration and found some errors. It might be a Typing error though..

***********************************************

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.1.10 it should be for 192.168.1.20

host 192.168.1.10

object network obj-1.1.1.1

host 1.1.1.1

object service HTTP

service tcp source eq http

object service SMTP

service tcp source eq SMTP

***********************************************

nat (inside,outside) source static obj-192.168.1.10 obj-1.1.1.1 service HTTP HTTP

nat (inside,outside) source static obj-192.168.1.20 obj-1.1.1.1 service SMTP SMTP

***********************************************

acces-list outside extended permit tcp any host 192.168.1.10 eq http

acces-list outside extended permit tcp any host 192.168.1.10 eq http ---> this should be also for 192.168.1.20 for smtp

***********************************************

The corrected configuration should be as follows:

object network obj-192.168.1.10

host 192.168.1.10

object network obj-192.168.1.20

host 192.168.1.20

object network obj-1.1.1.1

host 1.1.1.1

object service HTTP

service tcp source eq http

object service SMTP

service tcp source eq SMTP

nat (inside,outside) source static obj-192.168.1.10 obj-1.1.1.1 service HTTP HTTP

nat (inside,outside) source static obj-192.168.1.20 obj-1.1.1.1 service SMTP SMTP

access-list outside extended permit tcp any host 192.168.1.10 eq http

access-list outside extended permit tcp any host 192.168.1.20 eq smtp

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

Thanks

Pulkit Bhandari

abhisar patil · ‎01-15-2014

Dear Pulkit,

Thank you for your reply and correction . This is typing error from my side, what about the logic behind the configuration if is it fine?

Thank You,

Abhisar.

pubhanda · ‎01-15-2014

Hi Abhisar,

Yes, the logic behind the configuration is correct.

For more details regarding the new NAT configuration on ASA version 8.3+ you can also refer the following documents:

https://supportforums.cisco.com/docs/DOC-12690

Hope this helps.

Feel free to ask more if needed

- Pulkit