Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
0
Helpful
2
Replies

Single Public PAT to multiple Internal

Go to solution
bsisco
Level 1
Level 1

‎04-08-2009 02:16 PM - edited ‎03-11-2019 08:16 AM

ASA 5510

Need to NAT single public IP to multiple internal IPs.

Outside:1.1.1.1/25 -> DMZ:192.168.1.10/25

while...

Outside:1.1.1.1/443 -> Inside:192.168.2.10/443

and

Outside:1.1.1.1/1352 -> Inside:192.168.2.10/1352

Initially tried (via ASDM) static P/NAT from DMZ to Outside using Port Address Translation with port 25 both in and out.

Then adding static P/NAT from Inside to Outside using Port Address Translation for port 443.

Problem arises when I want to specify the third static P/NAT for port 1352, or when I leave PAT on for DMZ host, but turn it off for the Inside host.

The ultimate goal is for port 25 on the public IP to go to the DMZ host while 443 and 1352 get sent to the Inside host.

How can I accomplish this? It's OK to say the ASDM won't let you do this, but I won't be so happy to hear that the ASA cannot accomplish this knowing that there are a bunch of half-assed appliances out there that DO handle this.

Thanks for helpin me out yet again!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
roshan.maskey
Level 1
Level 1

‎04-08-2009 05:06 PM

Hi,

Cisco ASA does support that. Please try from CLI.

static(dmz,outside) tcp 1.1.1.1 25 192.168.1.1 25

static(inside,outside) tcp 1.1.1.1 443 192.168.2.1 443

static(inside,outside) tcp 1.1.1.1 1352 192.168.2.1 1352

Also add these access-list in outside interface access-list.

access-list outside_in extended permit tcp any host 1.1.1.1 eq smtp

access-list outside_in extended permit tcp any host 1.1.1.1 eq https

access-list outside_in extended permit tcp any host 1.1.1.1 1352

View solution in original post

0 Helpful
2 Replies 2

Go to solution
roshan.maskey
Level 1
Level 1

‎04-08-2009 05:06 PM

Hi,

Cisco ASA does support that. Please try from CLI.

static(dmz,outside) tcp 1.1.1.1 25 192.168.1.1 25

static(inside,outside) tcp 1.1.1.1 443 192.168.2.1 443

static(inside,outside) tcp 1.1.1.1 1352 192.168.2.1 1352

Also add these access-list in outside interface access-list.

access-list outside_in extended permit tcp any host 1.1.1.1 eq smtp

access-list outside_in extended permit tcp any host 1.1.1.1 eq https

access-list outside_in extended permit tcp any host 1.1.1.1 1352

0 Helpful

Go to solution
bsisco
Level 1
Level 1
In response to roshan.maskey

‎04-09-2009 09:08 AM

I should've known that even though the GUI ASDM complained about it and even though the CLI (via the GUI) complains about it but let's it go that it was possible.

Spoiled by yet another GUI.

Thanks Roshan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card