Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
265
Views
0
Helpful
3
Replies

Regular Static Pat in 9.11

noc-cville
Level 1
Level 1

‎03-11-2013 07:30 AM - edited ‎03-11-2019 06:12 PM

I am attempting to forward all traffic destined to my outside interface (173.x.x.x) on port 222 to my switch on the inside (192.x.x.2) on port 22.  I have the same configuration set up on the same code on another firewall and it works just fine.  This used to work on this one prior to the 9.11 upgrade.  Anyone have a similiar issue?

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎03-11-2013 08:53 AM

Hi,

Only thing even slightly related to this kind of problem is a Bug in the newer softwares.

I've been told that the 8.4(5) software would be the choice at the moment.

Then again you mention that the rule is working on another box with same software. Though I am not sure if the bugs nature is so that it happens randomly.

You can always use the "packet-tracer" command to determine if the traffic is hitting the right NAT rule

packet-tracer input outside tcp

- Jouni

0 Helpful

noc-cville
Level 1
Level 1

‎03-11-2013 11:20 AM

I'm not sure if this is a "bug"  or a new feature of the 9.x software.  I found that you cannot create an inbound static Pat policy using the outside interface ip address, if you are using the same address as a dynamic nat for outbound users.  What I had to do was add an additional ip address for outbound dynamic nat and then the static pat inbound worked.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to noc-cville

‎03-11-2013 11:29 AM

Could you share the exact configuration format you used for the original NAT that didnt work?

I was testing a problem with a certain NAT configurations on these forums and there the situation was.

  • LAN had a Section 3 Dynamic PAT
  • LAN had a Section 2 Port Forward
  • DMZ had a Section 1 Dynamic PAT
  • All of the above used "outside" interface IP address as the public IP address

And in that case it seemed the DMZ Section 1 Dynamic PAT was overriding even the Section 2 Port Forward configuration between the "outside" and the "inside" which I didnt really understand

As soon as I added a specific destination for that Section 1 DMZ Dynamic PAT it didnt interfere with the Port Forward configuration. Provided ofcourse I didnt test from the just mentioned added destination network.

So it seemed as no destination was configured for the NAT it seemed to be matching all incoming traffic to the "outside" inteface IP address (even though the other interface was "dmz" which didnt seem to matter)

Dont know if I made any sense but this just seemed strange to me. Then again I dont configure the NAT in the same way as in this problem situation so I havent run into this problem myself.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card