06-06-2011 05:32 PM - edited 03-11-2019 01:42 PM
So, this is a new ASA 5505 that I'm trying to configure, and I've done plenty of these in the past, but I must just be missing somthing. I'm trying to create a simple NAT rule from the outside to a server on the inside. From CLI, I do:
static (inside,outside) 2xx.xxx.1xx.1xx 10.90.1.21 netmask 255.255.255.255
and I get
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
I'm not trying to use PAT! I'm copying the same line from the other ASA's that I have that I've put these NAT commands in plenty of times. If I try to do it through ASDM, I get
config
lab-5505asa(config)# sh conf
: Saved
: Written by xxx at 15:58:04.489 UTC Mon Jun 6 2011
!
ASA Version 8.0(4)
!
hostname lab-5505asa
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.91.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2xx.xxx.1xx.1xx 255.255.255.128
!
interface Vlan4
nameif DMZ
security-level 50
ip address 172.16.35.1 255.255.255.0
!
interface Ethernet0/0
description inside
!
interface Ethernet0/1
description outside
switchport access vlan 2
!
interface Ethernet0/2
description dmz
switchport access vlan 4
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list outside_access_in extended permit tcp any host 2xx.xxx.xxx.xxx eq 3389 log disable
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2xx.xxx.1xx.1xx 1
route inside 10.0.0.0 255.0.0.0 10.91.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
I'm NOT selecting to use PAT, but it keeps nagging me about it! Can someone direct me to what I'm doing wrong? Am I forgetting something?
thanks for the help!
06-06-2011 07:16 PM
Just have to make sure that you are not using the Outside interface IP Address when you create the static NAT statement.
You can use any spare IP Addresses in the Outside interface subnet range for static NAT, but not the Outside IP Address itself.
If you intend to use the Outside interface IP, then you would need to create static PAT instead.
Eg:
static (inside,outside) tcp interface 80 10.90.1.21 80 netmask 255.255.255.255
Hope that helps.
06-06-2011 07:22 PM
Hi Ryan,:
What IP is this:
static (inside,outside) 2xx.xxx.1xx.1xx 10.90.1.21 netmask 255.255.255.255
is this your outside interface IP????
if yes then you need the followinf static:
static (inside,outside) interface 10.90.1.21 netmask 255.255.255.255
But the prob is you are already doing Patting to your outside interface:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
So you cannot do one to one nat with outside interface, you would need to do port forwarding or static pat on outsode interface:
This would definitely work for you.
Hope this helps.
Thanks,
Varun
06-07-2011 09:06 AM
Yes! That's the difference between this and the other ASA's. I didn't even think about that. I am trying to use the interface IP address, and on the others I am not.
Thanks for the tip! I'll get it figured out now.
06-07-2011 09:58 AM
Hi Ryan,
Thats good!!! Let me know if you face any further issues with it.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide