Migrating NAT from ASA to Firepower - "Same mapped parameter cannot be used to do both NAT and PAT"

bascheew · ‎08-15-2018

We are migrating from an ASA to Firepower and we're running into an error when configuring NAT. One of our networks is PATed out a secondary IP on the outside interface. That same secondary IP is also used for a couple of static NATs. On the ASA, this was not a problem:

nat (Network-B,Outside) source static Network-B_Server10 1.1.1.30 service 25 25 description SMTP to Network-B
nat (Network-B,Outside) source static Network-B_Server10 1.1.1.30 service 443 443 description HTTPS to Network-B
nat (Network-B,Outside) after-auto source dynamic any 1.1.1.30

On the Firepower when I attempt to replicate this setup I receive the following error when I attempt to save the new NAT rules in the FMC:

"Same mapped parameter cannot be used to do both NAT and PAT"

(Network-B) to (Outside) source static Network-B_Server10 1.1.1.30  service SVC_579820588089 SVC_579820588089 description Network-B SMTP
(Network-B) to (Outside) source static Network-B_Server10 1.1.1.30  service SVC_579820588090 SVC_579820588090 description Network-B HTTPS
(Network-B) to (Outside) source dynamic any pat-pool 1.1.1.30

Any ideas?

Thanks!

Mohammed al Baqari · ‎08-16-2018

In ASA, this will through a warning once you apply the PAT statement.
Unfortunately, FP won't let you do it