cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1194
Views
0
Helpful
11
Replies

Static Natting of Public IP

vinayak
Level 1
Level 1

  Dear All,

Currently in my office i am having Cisco ASA 5510. I done port forwarding on ASA & using my public IP for accessing my Citrix Application from anywhere on internet.

Now i am having another Web Based application which i want to access as same as citrix application. But when i am going to add static nat it gives error as "Static Nat to this ip is exist."

How can i assign different ip to my application ?

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

You can't use the same public ip address twice for NATing unless you are using static port address redirection and use different port for the translation.

Do you have a spare public ip address?

If you don't, are you using the same port for the citrix gateway as well as the web based application? If you don't, then you can configure static PAT and use the same public IP, but if you are using the same port, then you can't use static PAT.

Dear Jennifer,

We dont have spare public ip's.

Can you please tell me how we can enable Static PAT ?

Here are the current config. of static NAT :

static (inside,outside) tcp interface www server www netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica server citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 2598 server 2598 netmask 255.255.255.255

Thanks.

Dear Jennifer,

We dont have spare public IP's.

For citrix we have different port (2598) & for new application we have Different Port (37777)

Here is static config :

static (inside,outside) tcp interface www server www netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica server citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 2598 server 2598 netmask 255.255.255.255

Can you please tell me how to Enable Static PAT ?

Then you can configure the following for the new application access:

static (inside,outside) tcp interface 37777 37777 netmask 255.255.255.255

Then you will also need to configure the outside ACL to allow traffic on port 37777.

Dear Jennifer,

When i put the command the result is as below :


Result of the command: "static (inside,outside) tcp interface 37777 192.168.0.199 37777 netmask 255.255.255.255"

ERROR: mapped-address conflict with existing static
  inside:server to outside:121.242.223.102 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
  {|interface}
  { [netmask ]} | {access-list }
  [dns]
  [[tcp] [ [ [nailed]]]]
  [udp ]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
  {|interface}
  { [netmask ]} |
  {access-list }
  [dns]
  [[tcp] [ [ [nailed]]]]
  [udp ]
show running-config [all] static []
clear configure static

Can you please share the output of "show run static"? It's probably already configured, hence you won't be able to re-add it.

Dear Jennifer,

As i said earlier i already configured Static Nat for Citrix Application.

Here is the config. commands :

static (inside,outside) tcp interface www server www netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica server citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 2598 server 2598 netmask 255.255.255.255

Now i want to use this public IP to other Application also. I dont have spare public IP.

That is not a problem as long as you are not using the same port.

Currently you have used the following port for your citrix:

port 80 (www)

port 1494

port 2598

So if you are trying to add port 37777, that is fine, you can use the same public ip address.

However, you can't use any of the above same port for the new web application static PAT.

Dear Jennifer,

I successfully added static PAT in firewall. But still i am not able to open 121.242.223.102:37777 from outside internet.

if i am tring to put www it gives error as it already assigned for citrix.

then which port should i use for accessing 121.242.223.102:37777 from outside internet..

Have you added access-list on the outside interface to allow traffic towards port 37777?

Is the web application listening on port 37777?

@Vinayak

Below Cisco article will be useful in understanding NAT/PAT properly.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Also I have a simple descriptive examples in my blog that will assist you in getting your issue sorted.

Cisco ASA NAT and PAT Configuration Permanent link http://lalantony.me/?p=46

If you still having issues please don't hesitate to drop me a line.

Cheers

LA

www.lalantony.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: