Re: Overlapping NAT statements on ASA

tylerlucas · ‎10-25-2007

I'm having trouble with NAT.

This works:

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255

This doesn't:

static (Internal-201,ELI-External) tcp MY_EXT_IP 3389 192.168.201.114 3389 netmask 255.255.255.255

Why wouldn't the second statement work? I'm positive that I'm typing in the correct external IP.

Edit: I'm guessing that it isn't working because the first statement has overloading and the second one doesn't.. so it doesn't know how to "get back to me" since I'm in a private network myself. If this is the reason why, then is there a way to have multiple nat statements re-directing me, depending on my source IP? (ie: if I RDP from home, it redirects me to .114, and if I RDP from work, it redirects me to .177)

sundar.palaniappan · ‎10-25-2007

Your 2nd statement should work too as it's doing static PAT as well.

Are you permitting MY_EXT_IP port # 3389 on the ACL applied on the ELI-External interface?

HTH

Sundar

JORGE RODRIGUEZ · ‎10-25-2007

As Sundar said, apply acl to eli-external interface..

Here is a usefull link to follow the example, it should work.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#intro

static (internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255 0 0

static (internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255 0 0

access-list ACL1 extended permit tcp host ExternalIP-1 host 192.168.201.114 eq 3389

access-list ACL1 extended permit tcp host ExternalIP-2 host 192.168.201.177 eq 3389

access-group ACL1 in interface ELI-External

Jorge Rodriguez