Solved: need assistance with new 8.4 NAT config

matthewatt · ‎10-12-2011

I'm trying to setup an NAT on an ASA with 8.4. I have no prior experience with the new NAT config, I'm only used to the 7.x way. I need to setup the firewall so inside hosts get PAT'd to external interface. I think I have that successfully done. I also need to setup static PAT, and that is where I'm getting an error.

here is my config for the interface PAT for inside to outside traffic.

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

here is the 7.x way of handling the static PAT I want to take place (public IP altered)

static (inside,outside) tcp 79.255.255.255 smtp 192.168.1.10 smtp netmask 255.255.255.255 0

here is how I tried to translate the static PAT to 8.4 code:

object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static 79.255.255.255 service tcp 25 25

this is the error I get when executing the above command:

nat (inside,outside) static 79.255.255.255 $
ERROR: Address 79.255.255.255 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

what am I doing wrong? Note that my 79.255.255.255 address is the outside interface of the firewall

Jon Marshall · ‎10-12-2011

Matthew

You still need the other bit of your config ie.

object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static interface service tcp 25 25

as for what binds it, i guess it's those 3 statements in that order. To be honest i am still getting to grips with it myself

Jon

View solution in original post

Jon Marshall · ‎10-12-2011

Matthew

Hae you tried -

nat (inside,outside) static interface service tcp 25 25

Jon

matthewatt · ‎10-12-2011

I guess I'm lost as to how it knows that I want to NAT to the inside address 192.168.1.10?

Jon Marshall · ‎10-12-2011

Have you tried the "interface" keyword ?

matthewatt · ‎10-12-2011

I will try it as soon as I can get access to the ASA again (away from site right now). But what I'm confused is even by using the interface statement in your config (or my config for that matter), what is binding the interface ip to the real inside ip address? I would expect to see the inside ip in the command somewhere? thanks for the help, by the way!

Jon Marshall · ‎10-12-2011

Matthew

You still need the other bit of your config ie.

object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static interface service tcp 25 25

as for what binds it, i guess it's those 3 statements in that order. To be honest i am still getting to grips with it myself

Jon

matthewatt · ‎10-12-2011

yeah, it took it with the interface keyword. I should have thought to try that, I'm just not used to this syntax. Gonna take a while. Thanks again for all your help!

varrao · ‎10-12-2011

Hi Jon,

Yes, what you thin is right. First an IP address is needed to be defined in the object before tta nat statement is binded to the object. And Matthew, remember, one object can only be binded to a single iobject, that means f you try to put another nat statement under the object network obj-192.168.1.10, it would replace the earlier nat statement. It is only in the case of object nat.

So if you plan to add another nat statement for another service on the same host, lets say for port 80, then you would need to create another object for it:

object network obj-192.168.1.10_2

host 192.168.1.10

nat (inside,outside) static interface service tcp 80 80

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

matthewatt · ‎10-13-2011

Good catch Varun. I did indeed need to bind multiple nat's to the same host on a different port. Thanks for pointing out what I would have overlooked.

varrao · ‎10-13-2011

Hey...no issues, just thought that might help you

Varun

Thanks,
Varun Rao