NATing 8.2.5 to 9.8.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2017 10:16 AM - edited 02-21-2020 06:55 AM
Anybody know how I would turn this IOS 8.2.5 nat statement into a IOS 9.8.1 nat statement?
static (DMZ-ADT,outside) udp ADT-Remote-Access 20000 192.168.13.3 20000 netmask 255.255.255.255
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2017 03:27 AM
It should be:
object network ADT-Remote-Access
host x.x.x.x
nat (DMZ-ADT,outside) static 192.168.13.3 service tcp 20000 20000
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2017 04:16 AM
However, I should have provide more detail.
Here is what we actually have the 5510 with ios 8.2.5
static (DMZ-ADT,outside) udp ADT-Remote-Access 20000 192.168.13.3 20000 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 20001 192.168.13.4 20001 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 20002 192.168.13.5 20002 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 20003 192.168.13.6 20003 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 8200 192.168.13.2 8200 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 8200 192.168.13.2 8200 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 8016 192.168.13.2 8016 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 8016 192.168.13.2 8016 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 12088 192.168.13.2 12088 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 12088 192.168.13.2 12088 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 10019 192.168.13.2 10019 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 10019 192.168.13.2 10019 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 18802 192.168.13.7 18802 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 18802 192.168.13.7 18802 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 18810 192.168.13.7 18810 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 18810 192.168.13.7 18810 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 18803 192.168.13.7 18803 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 18803 192.168.13.7 18803 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 18801 192.168.13.7 18801 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 18801 192.168.13.7 18801 netmask 255.255.255.255
static (DMZ-ADT,outside) udp ADT-Remote-Access 18001 192.168.13.7 18001 netmask 255.255.255.255
static (DMZ-ADT,outside) tcp ADT-Remote-Access 18001 192.168.13.7 18001 netmask 255.255.255.255
when I try to add the second rule I get this warning:
OH5FW50(config-network-object)# nat (DMZ-ADT,outside) static 192.168.13.3 serv$
OH5FW50(config-network-object)# exit
OH5FW50(config)# object network ADT-Remote-Access
OH5FW50(config-network-object)# host 192.168.13.4
WARNING: mapped-address 192.168.13.3/20000 overlaps with existing static NAT in Section 2, rule 1.
What am I to do now?
Thanks for help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2017 06:01 AM
I believe you are receiving the error because you are changing the IP inside the object that has a NAT statement. In order to make it work you will need different names for the ADT-Remote-Access object, something like this:
object network ADT-Remote-Access-x
host x.x.x.x
nat (DMZ-ADT,outside) static 192.168.13.3 service tcp 20000 20000
!
object network ADT-Remote-Access-y
host y.y.y.y
nat (DMZ-ADT,outside) static 192.168.13.4 service tcp 20001 20001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2017 06:36 AM
Do I also need to create an outside object host for each instance of ADT-Remote-Access-x,y,z ...
Here is the original from 5510 ios 8.2.5.
name a.b.c.d ADT-Remote-Access description Outside address for ADT remote access
object network ADT-Remote-Access_x
host a.b.c.d ==> same outside addr as the one below.
object network ADT-Remote-Access_y
host a.b.c.d
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2017 07:48 AM
Yes, you need to configure an object every time you use a NAT statement under it in this case.
Sorry I confused the IPs on my example, here my example corrected:
object network ADT-Remote-Access-x
host a.b.c.d
nat (DMZ-ADT,outside) static 192.168.13.3 service tcp 20000 20000
!
object network ADT-Remote-Access-y
host a.b.c.d
nat (DMZ-ADT,outside) static 192.168.13.4 service tcp 20001 20001