Solved: Yes, it's more or less a

mickyq · ‎05-13-2015

Hi

I need to convert the following from 8.2 nat to 9.0

static (dmz4,outside) tcp 7.3.232.220 16000 192.168.3.60 16000 netmask 255.255.255.255
static (dmz4,outside) tcp 7.3.232.220 16001 192.168.3.60 16001 netmask 255.255.255.255
static (dmz4,outside) tcp 7.3.232.220 5003 192.168.3.60 5003 netmask 255.255.255.255

I thought I needed a static PAT as follows:

object network obj-192.168.3.60

host 192.168.3.60

nat (dmz4,outside) static 7.3.232.220 service tcp 16000

nat (dmz4,outside) static 7.3.232.220 service tcp 16001

nat (dmz4,outside) static 7.3.232.220 service tcp 5003

But it seems I can only have one static int the object. Only the last nat is shown in the group.

How do I configure this?

Karsten Iwen · ‎05-13-2015

you are right, there is only one nat-statement per object.

You need to configure three objects with different names but the same host-entry. Each object will get an individual nat-entry:

object network obj-192.168.3.60-16000
  host 192.168.3.60
  nat (dmz4,outside) static 7.3.232.220 service tcp 16000 16000

object network obj-192.168.3.60-16001
  host 192.168.3.60
  nat (dmz4,outside) static 7.3.232.220 service tcp 16001 16001

object network obj-192.168.3.60-5003
  host 192.168.3.60
  nat (dmz4,outside) static 7.3.232.220 service tcp 5003 5003

View solution in original post

JEFF SPRADLING · ‎05-13-2015

The auto-nat (putting the nat in the object) will only allow a single nat statement. You can create the nats in the same fashion that you have them by creating separate nat statements in global config.

object network obj-192.168.3.60

host 192.168.3.60

exit

object network obj-7.3.232.220

host 7.3.232.220

exit

object service tcp16000

service tcp destination 160000

exit

object service tcp16001

service tcp destination 160001

exit

nat (dmz4,outside) source static obj-192.168.3.60 obj-7.3.232.220 service tcp16000 tcp16000

nat (dmz4,outside) source static obj-192.168.3.60 obj-7.3.232.220 service tcp16001 tcp16001

View solution in original post

Karsten Iwen · ‎05-13-2015

you are right, there is only one nat-statement per object.

You need to configure three objects with different names but the same host-entry. Each object will get an individual nat-entry:

object network obj-192.168.3.60-16000
  host 192.168.3.60
  nat (dmz4,outside) static 7.3.232.220 service tcp 16000 16000

object network obj-192.168.3.60-16001
  host 192.168.3.60
  nat (dmz4,outside) static 7.3.232.220 service tcp 16001 16001

object network obj-192.168.3.60-5003
  host 192.168.3.60
  nat (dmz4,outside) static 7.3.232.220 service tcp 5003 5003

JEFF SPRADLING · ‎05-13-2015

The auto-nat (putting the nat in the object) will only allow a single nat statement. You can create the nats in the same fashion that you have them by creating separate nat statements in global config.

object network obj-192.168.3.60

host 192.168.3.60

exit

object network obj-7.3.232.220

host 7.3.232.220

exit

object service tcp16000

service tcp destination 160000

exit

object service tcp16001

service tcp destination 160001

exit

nat (dmz4,outside) source static obj-192.168.3.60 obj-7.3.232.220 service tcp16000 tcp16000

nat (dmz4,outside) source static obj-192.168.3.60 obj-7.3.232.220 service tcp16001 tcp16001

mickyq · ‎05-14-2015

Thanks Guys

I see theres two solutions. I guess its just a case of where i want them in the nat table.

Thanks

Karsten Iwen · ‎05-14-2015

Yes, it's more or less a personal preference. I always configure it the way that all "regular" NAT goes to section 2 (which is auto-NAT or object-NAT). That is also the port-forwarding that you need.

In section 1 (the manual NAT which Jeff showed you) I only configure NAT-exemption and policy NAT.

In section 3 I only have my dynamic PAT (overload) for general Internet-access.

Configuring it that way keeps the NAT-table quite readable.

nat conversion