Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
6
Replies

Static NAT and Port Overload together

marioderosa2008
Level 1
Level 1

‎03-04-2014 06:45 AM - edited ‎03-11-2019 08:53 PM

Hi all,

if i have a static NAT setup for a subnet... for instance "static (inside,outside) 10.224.100.0 10.224.100.0 netmask 255.255.255.0" so that these clients NAT to themselves and are accessible from the outside, how can I add a policy dynamic NAT so that....

If                    10.224.100.0/24 accesses 10.1.1.1/32 then port overload to 10.1.94.1/32 ???

I dont think i can do this as in the NAT process, static nat comes before policy NAT.

Am I right?

If so, is there any other way that I can achieve what I want? I do not know why we are NATing this range to itself as it was not setup by me... I am not in a position to completely remove the static NAT as I do not know what access this could break.

Any help appreciated!

Thanks

Mario

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-04-2014 07:39 AM

Hello,

I would try

10.224.100.0/24 accesses 10.1.1.1/32 then port overload to 10.1.94.1/32

access-list TEST permit ip 10.224.100.0 255.255.255.0 host 10.1.1.1

static (inside,outside) 10.1.94.1 access-list TEST

static (inside,outside) 10.224.100.0 10.224.100.0 netmask 255.255.255.0

In that case the first one will take precedence if I am not mistaking (Unable to lab this up right now)

Let me know how it goes

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

marioderosa2008
Level 1
Level 1

‎03-04-2014 03:03 PM

Oh right, I never knew you could port overload in a static nat statement

I shall try it tomorrow.

Mario

Sent from Cisco Technical Support iPhone App

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to marioderosa2008

‎03-04-2014 03:08 PM

Hello,

Cool, let me know

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

marioderosa2008
Level 1
Level 1
In response to Julio Carvajal

‎03-05-2014 02:18 AM

hi Julio,

i just remembered... we already use the 10.1.1.1 address as a global PAT for everything, so will the ASA still allow us to use it again do you think?

example...

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Thanks

Mario

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to marioderosa2008

‎03-05-2014 04:48 AM

You sure you wanted to say 10.1.1.1.... I mean that is the destination address of the traffic.

access-list TEST permit ip 10.224.100.0 255.255.255.0 host 10.1.1.1

If that's the case then no sure I follow what u are trying to accomplish here

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

marioderosa2008
Level 1
Level 1

‎03-05-2014 11:15 AM

Sorry yes you are right. I meant to say 10.1.94.1 as the NAT address.

Just tried it earlier today and the ASA was complaining bout the subnet mask being invalid.

I think because a status is a 1 to 1... You cannot use it to do port overload.

Mario

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card