Solved: PAT interface address with static NAT port translation

ampowell · ‎08-23-2011

I have an 8.3(2) ASA with a single outside IP. Dynamic PAT translates inside addresses to the outside interface address. I would like to use static NAT with port translation to access an inside syslog server. I got an error when I tried using the outside interface address. Can I use both dynamic PAT and Port Translation with the same outside address?

This is what I would like to use but I receive an error saying there is an overlap using the outside interface address. Is there a different way to accomplish this?

(192.168.1.0 is my inside network. 10.10.1.10 is the outside interface IP.)

object network inside-net

subnet 192.168.1.0 255.255.255.0

nat (inside, outside) dynamic interface

object network SYSLOG_SERVER

host 192.168.1.50

nat (inside,outside) static 10.10.1.10 service tcp ssh ssh

varrao · ‎08-24-2011

You can also use this:

object network SYSLOG_SERVER

host 192.168.1.50

nat (inside,outside) static interface service tcp ssh ssh

Both the nat statements are the same.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-24-2011

Hi,

Well the logic that you understand is perfecctly correct, you can use dynamic pat and statric port forwarding for the same public ip. Reason being, whenever users go to the internet using dynamic pat, they use the ports greater than 1200 or 1500 (not really sure about the exact number) to go to the internet, which means well known ports are not used.

So you can do static port forwarding for the well known ports.

Now coming onto your scenario, there might be some other conflicting nat statement, so can you provide the output of "show run nat" from the firewall?

I would need to go through it to analyze the reason for it.

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

ampowell · ‎08-24-2011

This is my response attempting to add the object network SYSLOG_SERVER commands.

ERROR: Address 10.10.1.10 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

asatest(config)# show run nat

!

object network inside-net

nat (inside,outside) dynamic interface

asatest(config)#

asatest(config)# show run int

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.10.1.10 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

asatest(config)#

varrao · ‎08-24-2011

Hi,

You need to try this nat:

object network SYSLOG_SERVER

host 192.168.1.50

object service tcp_ssh

service tcp destination eq 22

nat (outside,inside) source static any any destination statinc interface SYSLOG_SERVER service tcp_ssh tcp_ssh

Actually for the interface ip address, you would not be able to craete an object network, because you already have an "interface" keyword for it.

Hope this resolves your query

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎08-24-2011

You can also use this:

object network SYSLOG_SERVER

host 192.168.1.50

nat (inside,outside) static interface service tcp ssh ssh

Both the nat statements are the same.

Thanks,

Varun

Thanks,
Varun Rao

ampowell · ‎08-24-2011

Both solutions work. The second with the interface keyword is what I was missing.

Thanks,

Ann

varrao · ‎08-24-2011

Hi Ann,

Glad it worked for you, I guess you can now mark this thread as answered.

-Varun

Thanks,
Varun Rao