02-05-2014 04:10 AM - edited 03-11-2019 08:40 PM
Hello,
I'm having a problem setting up a policy based pat. I 'll tell you what I tried to do and then you can advise me if this is correct. This is on a
ASA 8.6 5540.
We are trying to access a webpage that an application running on port 8080, external to my firewall on 172.53.16.17. The partner organisation wants the source address to be 172.53.130.17 and is dropping anything which has an internal ip address. I therefore followed the example on the cisco website
object network PAT-SOURCE ( my lan)
subnet 172.30.0.0 255.255.0.0
object network PAT-SOURCE-MAPPED (the transition)
host 172.53.130.17
object network PAT-DESTINATION (the app)
host 172.53.16.17
object service SERVICE ( the service which translates the www traffic to 8080)
service tcp source eq www destination eq 8080
When I run the following command
nat (inside,outside) source static PAT-SOURCE PAT-SOURCED-MAPPED destination static PAT-DESTINATION PAT-DESTINATION service SERVICE SERVICE
I receive the following error-
ERROR: PAT-SOURCED-MAPPED doesn't match an existing object or object-group
Any help would greatly appreciated.
Solved! Go to Solution.
02-05-2014 05:29 AM
Hi,
The ERROR messages states that you are using the "object" or "object-group" name that doesnt exist.
Notice that you have typed it wrong
The command has PAT-SOURCED-MAPPED
The actual "object" is named PAT-SOURCE-MAPPED
Though I think you might have to change the "object" name a bit because of other reasons. The that reason is that you should probably change the NAT to be a Dynamic Policy PAT by changing the "source static" to "source dynamic" and because of this the "object" name starting with PAT might confuse the ASA. Or atleast I think I had such a problem in the past.
To me it seems that there are some things that need to be changed in the configurations.
I would suggest the following configuration
object network PAT-SOURCE
subnet 172.30.0.0 255.255.0.0
object network MAPPED-IP
host 172.53.130.17
object network PAT-DESTINATION
host 172.53.16.17
object service TCP-80
service tcp destination eq 80
object service TCP-8080
service tcp destination eq 8080
nat (inside,outside) source dynamic PAT-SOURCE MAPPED-IP destination static PAT-DESTINATION PAT-DESTINATION service TCP-8080 TCP-80
The above configuration does so that when connection is coming from PAT-SOURCE and going to PAT-DESTINATION with the destination port TCP-80 then the source address will be NATed to MAPPED-IP and the destination port will be UN-NATed to TCP-8080
If I missunderstood the purpose of the NAT configuration (according to the above description I gave) then please correct me.
Hope this helps
Let me know how it goes
- Jouni
02-05-2014 05:29 AM
Hi,
The ERROR messages states that you are using the "object" or "object-group" name that doesnt exist.
Notice that you have typed it wrong
The command has PAT-SOURCED-MAPPED
The actual "object" is named PAT-SOURCE-MAPPED
Though I think you might have to change the "object" name a bit because of other reasons. The that reason is that you should probably change the NAT to be a Dynamic Policy PAT by changing the "source static" to "source dynamic" and because of this the "object" name starting with PAT might confuse the ASA. Or atleast I think I had such a problem in the past.
To me it seems that there are some things that need to be changed in the configurations.
I would suggest the following configuration
object network PAT-SOURCE
subnet 172.30.0.0 255.255.0.0
object network MAPPED-IP
host 172.53.130.17
object network PAT-DESTINATION
host 172.53.16.17
object service TCP-80
service tcp destination eq 80
object service TCP-8080
service tcp destination eq 8080
nat (inside,outside) source dynamic PAT-SOURCE MAPPED-IP destination static PAT-DESTINATION PAT-DESTINATION service TCP-8080 TCP-80
The above configuration does so that when connection is coming from PAT-SOURCE and going to PAT-DESTINATION with the destination port TCP-80 then the source address will be NATed to MAPPED-IP and the destination port will be UN-NATed to TCP-8080
If I missunderstood the purpose of the NAT configuration (according to the above description I gave) then please correct me.
Hope this helps
Let me know how it goes
- Jouni
02-05-2014 06:17 AM
Thanks for your help, I've spend two days looking at it and I still had typo's. Works a treat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide