Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
4
Replies

Create static NAT rule not working-UGH!

Ryan Fisher
Level 1
Level 1

‎06-06-2011 05:32 PM - edited ‎03-11-2019 01:42 PM

So, this is a new ASA 5505 that I'm trying to configure, and I've done plenty of these in the past, but I must just be missing somthing.  I'm trying to create a simple NAT rule from the outside to a server on the inside.  From CLI, I do:

static (inside,outside)  2xx.xxx.1xx.1xx 10.90.1.21 netmask 255.255.255.255

and I get

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

I'm not trying to use PAT!  I'm copying the same line from the other ASA's that I have that I've put these NAT commands in plenty of times.  If I try to do it through ASDM, I get

asdm2.JPG

asdm1.JPG

config

lab-5505asa(config)# sh conf
: Saved
: Written by xxx at 15:58:04.489 UTC Mon Jun 6 2011
!
ASA Version 8.0(4)
!
hostname lab-5505asa

names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.91.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2xx.xxx.1xx.1xx 255.255.255.128
!
interface Vlan4
nameif DMZ
security-level 50
ip address 172.16.35.1 255.255.255.0
!
interface Ethernet0/0
description inside
!
interface Ethernet0/1
description outside
switchport access vlan 2
!
interface Ethernet0/2
description dmz
switchport access vlan 4
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list outside_access_in extended permit tcp any host 2xx.xxx.xxx.xxx eq 3389 log disable
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2xx.xxx.1xx.1xx 1
route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

I'm NOT selecting to use PAT, but it keeps nagging me about it!  Can someone direct me to what I'm doing wrong?  Am I forgetting something?

thanks for the help!

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-06-2011 07:16 PM

Just have to make sure that you are not using the Outside interface IP Address when you create the static NAT statement.

You can use any spare IP Addresses in the Outside interface subnet range for static NAT, but not the Outside IP Address itself.

If you intend to use the Outside interface IP, then you would need to create static PAT instead.

Eg:

static (inside,outside) tcp interface 80 10.90.1.21 80 netmask 255.255.255.255

Hope that helps.

0 Helpful

varrao
Level 10
Level 10

‎06-06-2011 07:22 PM

Hi Ryan,:

What IP is this:

static (inside,outside)  2xx.xxx.1xx.1xx 10.90.1.21 netmask 255.255.255.255

is this your outside interface IP????

if yes then you need the followinf static:

static (inside,outside)  interface 10.90.1.21 netmask 255.255.255.255

But the prob is you are already doing Patting to your outside interface:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

So you cannot do one to one nat with outside interface, you would need to do port forwarding or static pat on outsode interface:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

This would definitely work for you.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Ryan Fisher
Level 1
Level 1
In response to varrao

‎06-07-2011 09:06 AM

Yes!  That's the difference between this and the other ASA's.  I didn't even think about that.  I am trying to use the interface IP address, and on the others I am not.

Thanks for the tip!  I'll get it figured out now.

0 Helpful

varrao
Level 10
Level 10
In response to Ryan Fisher

‎06-07-2011 09:58 AM

Hi Ryan,

Thats good!!! Let me know if you face any further issues with it.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card