Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
0
Helpful
5
Replies

PAT different WAN IP tp internal host

dennesmeeusen
Level 1
Level 1

‎12-15-2012 01:11 PM - edited ‎03-11-2019 05:37 PM

Hi,

We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.

There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.

So i just changed this:

object network BMMM

nat (inside,outside) static interface service tcp smtp smtp

to:

object network BMMM

nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp

And assumed that this would work,

Sadly it does not, and this leaves me unable to contact that machine from the outside.

What am i doing wrong? And shoud i also change my access-list?

The relevant access-list rule is:

access-list outside_in extended permit tcp any object BMMM eq smtp

Thanks,

Dennes

Labels:
0 Helpful
5 Replies 5

Peter Koltl
Level 7
Level 7

‎12-15-2012 01:32 PM

Try

show xlate

clear xlate

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎12-15-2012 01:33 PM

Hi,

Do you want to still do Port Forward configurations like with the single IP address before? Or do you want to translate some LAN server address to their own public IP address?

The format for a typical Static NAT is

object network STATIC

host 10.10.10.10

nat (inside,outside) static 1.2.3.4

After this you could open any service you want/need for the LAN host mentioned above

access-list OUTSIDE-IN permit tcp any object STATIC eq smtp

But if you want to configure the port forwards with the new public IP addresses too it should be no problem.

- Jouni

0 Helpful

dennesmeeusen
Level 1
Level 1
In response to Jouni Forss

‎12-15-2012 01:45 PM

I did the show and clear xlates, but to no avail.

I want it to be setup something like this:

interface WAN ip: 1.1.1.1

WAN ip 1.1.1.2 tcp/25 --> 192.168.1.10

WAN ip 1.1.1.2 tcp/443 --> 192.168.1.11

This should work, right?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to dennesmeeusen

‎12-15-2012 01:50 PM

Hi,

Yeah should be no problem

For example

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.1 255.255.255.248

object network PORTFORWARD-25

host 192.168.1.10

nat (inside,outside) static 1.1.1.2 service tcp 25 25

object network PORTFORWARD-443

host 192.168.1.11

nat (inside,outside) static 1.1.1.2 service tcp 443 443

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-25 eq smtp

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-443 eq 443

Have you checked what happens to the connection through either the logs or ASDM logging/monitoring?

- Jouni

0 Helpful

dennesmeeusen
Level 1
Level 1
In response to Jouni Forss

‎12-15-2012 02:09 PM

Well.. This is embarrassing..

Turned out that everything is just fine, but a reboot of the Exchange virtual machine to which the PAT's go, caused it's address to change to a DHCP assigned address. Reset it back to the static LAN ip and it's working like a charm!

:-)

Thanks guys!

Dennes

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card