Hi Mike,

Originally, the existing rule is this

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

and I want to change it to

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

and I got the overlapping error with the rule: "static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255"

Hope that it can clarify my problem. Thanks.

Hi Steven,

You are using overlapping public ip address. You can't use the same ip address to configure static 1:1. You can configure static port address redirection on different ports using the same public ip address.

So currently the following 2 static NAT will overlap:

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

So the 2nd line is 1:1 static NAT and you can't reuse the same public ip address after you configure the static 1:1 NAT.

However, if you change the 2nd line to be static port address redirection on other ports than smtp, then it will work.

Example:

static (LAN,WAN) tcp PCCW_Sec_SMTP 3000 LAN_MS02 3000 netmask 255.255.255.255

(port 3000 is just an example, and you would need to change it to the port that you like access on for LAN_MS02 server accordingly).

Hi Jennifer,

Then why the other rules e.g static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255
will not cause the overlapping problem? Thanks.

Because it is static PAT, not static 1:1 NAT.

Difference is you are statically NATing 1 ip address to another ip address for static 1:1 NAT (and this means it includes all ports), while static PAT, you are NATing the ip address only base on 1 port.

The reason why it doesn't overlap with this:

static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255

is because the port is different. The above line is on port 21 (ftp), and the other one is on port 25 (smtp).

Hi Jennifer,

Sorry for my stupid question, according to the config

1.static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255

2.static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255
3.static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

Rule 1 is a Static PAT, at the same time rule 2 is also a static PAT. Why rule 1 will not overlap with rule 3 while rule 2 does? Thanks.

It will overlap, and you shouldn't really configure rule# 3.

The reason why it will overlap is because, if traffic is sent towards PCCW_Sec_SMTP (public ip address), and you have static 1:1 configured, it has no way in knowing which private server it should translate the ip address back to if you don't specify the actual port. As advised earlier, if you configure static 1:1 NAT, you can't share the public ip address. You can only share the public ip address if you configure static PAT with different ports.

Do you mean that rule 1 also overlap with rule 3?

Yes... Rule# 1 and Rule#3 also overlaps.

The reason why you can enter the command in before is probably you configure rule# 1 first, then you enter rule# 3. Eventhough it doesn't give you an error message of them being overlapping, they do overlap and it is not a supported configuration.

So you remove rule# 3, then enter in rule# 2, and then reenter rule# 3, it will not give you any error message in regards to overlapping. In theory, it should give you the error, and it's probably a software bug that it doesn't give you the error message when it overlaps.

In summary, you can't configure Rule# 3, if you are already using the same ip address for static PAT.

Hi Jennifer.

You are right. I tried to change the Rule 3 from static NAT to static PAT. It prompt me the error about overlapping. I need to remove this rule to make it work. Thanks.