Configure static NAT for range of ports

Hi,
I have a 2911 with a 3CX IP PBX behind it that needs to have a static NAT to the 3CX server for TCP/UDP 5060 and UDP 9000-9049. Do I have to create a static NAT entry for every single port in order for this to work, or can a range be defined in the NAT entries?
As an example, say my 3CX server has an internal IP of 192.168.1.25 and my external IP is 1.2.3.4. Would I have to create an entry for each port?
ip nat inside source static tcp 192.168.1.25 5060 1.2.3.4 5060
ip nat inside source static udp 192.168.1.25 5060 1.2.3.4 5060
ip nat inside source static udp 192.168.1.25 9000 1.2.3.4 9000
ip nat inside source static udp 192.168.1.25 9001 1.2.3.4 9001
and so on...
Is this the correct way to do it, or is there another better way?
Also, I only have one public IP to work with, and there are multiple other hosts on this network that need to have access to the internet. Right now I have NAT setup with overload so that the other hosts can get to the Internet. Here's my config for that:
ip nat pool PATPOOL 1.2.3.4 1.2.3.4 netmask 255.255.255.252
ip nat inside source list NAT_ACL pool PATPOOL overload
ip access-list standard NAT_ACL
remark PAT to outside
permit 192.168.1.0 0.0.0.255
exit
My question with this is will the static NAT work if I already have NAT overload configured as above?
Thanks for the help in advance.
Austin
PS here is 3CX documentation on this subject http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/

I ended up creating a static NAT entry for each individual port mapping. This worked just as it was supposed to.
I have seen examples of people using route maps and ACLs to accomplish forwarding a range ports. I have yet to see official documentation from Cisco on this, and in some cases those examples did not seem to work correctly.
ASAs with the latest code have the ability to forward a range of ports, but based on my research IOS lacks this feature.
In my case, forwarding 50 ports wasn't so bad. However, if you have hundreds or thousands of ports to forward you may want to try the route map/ACL approach.
Hopefully this information useful to others.

Similar Messages

Configure static PAT for port range

Hi,
could someone help with this:
we have an ASA 5510 version 8.2 and ASDM 6.4. we want to configure a static PAT for a range of TCP and UDP port. in the nat configuration window we have just to enter one port ( range are note accepted).
Thanks,

Hi,
In software levels 8.2 and below the only option is to generate a separate configurations for each port. This is easiest achieved through the CLI and using some text editor to help generate the possibly large configurations.
On ASA software 8.3 and above (where NAT format was completely redone) you have the option to use a single "nat" command to configure Static PAT for a continuous range of ports.
So your option is to either generate a separate "static" configuration for each port or upgrade the software to a newer one to be able to do Static PAT for a range of ports.
Naturally the update involves rewriting the current NAT configuratins into a new format even though booting to newer software usually converts the configurations automatically but with varying success.
- Jouni

Static NAT for FTP access

NAT overload has been done successfully as follows:
1. ip nat inside and ip nat outside configured on the appropriate interfaces i.e.fa0/0 and fa0/1
2. default route added on the router.
3.additional configuration is added:
ip nat inside source list 1 interface fa0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255
Now I am trying to use static NAT for FTP:
ip nat inside source static tcp 192.168.1.X 21 x.x.x.x 21 extendable
But this does not work please help. I am trying to access FTP server from LAN by entering public address in the browser. Can access the FTP server with private address but this defeats the purpose of FTP. Please help.

Router(config)#interface fa0/0
Router(config-if)#ip address 192.168.1.254 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#interface fa0/1
Router(config-if)#ip address 203.109.120.2 255.255.255.252
Router(config-if)#no shut
Router(config-if)#ip nat outside
Router(config)#ip route 0.0.0.0 0.0.0.0 interface fa0/1
Router(config)#ip nat inside source list 1 interface fa0/1 overlaod
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

DM-VPN with Static NAT for Spoke Router. Require Expert Help

Dear All,
            This is my first time to write something .
                         i have configure DM-VPN, and it's working fine, now i want to configure static nat.
some people will think why need static nat if it's working fine.
let me tell you why i need. what is my plan.
i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address. so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
will for that i try but fail.
will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
but this time this command is not working, because the ip address which i mention it's related HUB Network not Spoke
spose spoke Network: 192.168.2.0/24
and i want on HUB Router:
ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
i am using Cisco -- 887 and 877 ADSL Router.
but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
fore more details please see the diagram.
for Contact Me: [email protected]

hi rvarelac thank you for reply :
i allready done that , i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key 12344321 address 1.1.1.1
crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
mode tunnel
crypto map s2s 100 ipsec-isakmp
set peer 1.1.1.1
set transform-set Remote-Site
match address vpnacl
interface GigabitEthernet0/0
crypto map s2s
Extended IP access list lantointernet
30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
80 permit ip any any

Static NAT for DMZ hosts

Hello,
It has been a while since I last worked on firewall. Please take a look at info below.
INSIDE does not have access to Internet
Services/Servers in DMZ need to be accessible from Internet
CONFIG
names
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.46 255.255.255.240 standby X.X.X.45
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address INSIDE.254 255.255.254.0 standby INSIDE.253
interface Ethernet0/2
interface Ethernet0/2.1
description LAN Failover Interface
vlan 20
interface Ethernet0/2.2
description STATE Failover Interface
vlan 30
interface Ethernet0/3
description DMZ INTERFACE
speed 100
duplex full
nameif dmz
security-level 100
ip address DMZ.254 255.255.255.0 standby DMZ.253
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name CDGI.com
same-security-traffic permit inter-interface
access-list NAT0_INSIDE_DMZ remark NO NAT FROM INSIDE TO DMZ
access-list NAT0_INSIDE_DMZ extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.41
access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.41 eq www
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo-reply
access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.42
access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.42 eq www
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo
access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo-reply
access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0
access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 192.168.254.0 255.255.255.0
access-list NO-NAT-DMZ extended permit ip DMZ.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool SSLCLIENT_IP_POOL 192.168.254.1-192.168.254.25 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface FAILOVER Ethernet0/2.1
failover link STATEFUL Ethernet0/2.2
failover interface ip FAILOVER 172.31.254.254 255.255.255.252 standby 172.31.254.253
failover interface ip STATEFUL 172.31.254.250 255.255.255.252 standby 172.31.254.249
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (dmz) 0 access-list NO-NAT-DMZ
static (dmz,outside) X.X.X.41 DMZ.49 netmask 255.255.255.255
static (dmz,outside) X.X.X.42 DMZ.28 netmask 255.255.255.255
access-group OUTSIDE_TO_DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect http
service-policy global_policy global
===========================================================================================
As you see above, config has ACL that allows traffic from Internet to DMZ and has static NAT. The hosts in DMZ are still not accessible.
Please help.
Thanks,
Paresh.

Hi,
For Inside to internet:
you have no global( outside) as well as nat(inside) configured.
nat(inside) 1 0 0
global(outside) 1 interface
For second part, I see no problem in the config, is it not working?
Regards.
Alain

NAT overload is not working when i configure Double NAT for VPN

I have Cisco 2921 router with OS version 15.1(4)M1.
the router is configured for NAT overload and working fine, i have site to site VPN tunnel with peer with normal NAT translation. now we need to configure Double NAT on the VPN tunnel as we need to free the subnet on peer network. for double nat i use 3.2.21.x - 3.2.23.x / 24 network and apply following command
Double NAT translation
ip nat inside source static network 192.168.10.0 3.2.21.0 /24 no-alias
ip nat inside source static network 192.168.20.0 3.2.22.0/24 no-alias
ip nat inside source static network 192.168.30.0 3.2.23.0 /24 no-alias
Nonat
access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
VPN encrypted traffic over the tunnel
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Problem:
as soon as i apply Double NAT translation command the NAT overload stop working and client cannot reach to the internet
the router partial configuration is as below
REACH-R01(config)#do sh run
Building configuration...
Current configuration : 19233 bytes
! Last configuration change at 09:56:45 MST Tue Jan 29 2013 by admin
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
! NVRAM config last updated at 13:57:54 MST Wed Jan 30 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname REACH-R01
boot-start-marker
boot-end-marker
card type t1 0 0
logging buffered 51200 warnings
no aaa new-model
clock timezone MST -7 0
clock summer-time MST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.20.250 192.168.20.255
ip dhcp pool CISCO_PHONES
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
option 150 ip 192.168.20.254
no ip domain lookup
ip domain name reach.local
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
multilink bundle-name authenticated
isdn switch-type primary-ni
trunk group PRI
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3180627716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3180627716
revocation-check none
rsakeypair TP-self-signed-3180627716
voice-card 0
dsp services dspfarm
voice service voip
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
voice translation-rule 1
rule 5 /^7804981231/ /401/
voice translation-rule 2
rule 5 // /7804981231/
voice translation-profile DID_INBOUND
translate called 1
voice translation-profile DID_OUTBOUND
translate calling 2
license udi pid CISCO2911/K9 sn FGL1540114P
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module ism 0
hw-module pvdm 0/0
username test test
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-6,24
no ip ftp passive
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key P@ssw0rd address 33.33.33.33 no-xauth
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
description COMPUGEN
set peer 33.33.33.33
set transform-set ESP-AES256-SHA
match address 115
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Outside Interface To the Internet
ip address dhcp
ip access-group outside_access_in in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN-TUNNEL
interface ISM0/0
ip unnumbered GigabitEthernet0/1.20
service-module ip address 192.168.20.2 255.255.255.0
!Application: CUE Running on ISM
service-module ip default-gateway 192.168.20.254
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.10
description VLAN 10 DATA VLAN
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/1.20
description VLAN 20 VOICE VLAN
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface GigabitEthernet0/1.30
description VLAN 30 WIRELESS VLAN
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip inspect ethernetin in
ip virtual-reassembly in
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface ISM0/1
description Internal switch interface connected to Internal Service Module
no ip address
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
trunk-group PRI
no cdp enable
interface Vlan1
no ip address
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:CME8.6/GUI
ip nat inside source static tcp 192.168.10.10 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.10.10 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.168.10.10 1723 interface GigabitEthernet0/0 1723
ip nat inside source static tcp 192.168.10.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.10.10 123 interface GigabitEthernet0/0 123
ip nat inside source static tcp 192.168.10.10 987 interface GigabitEthernet0/0 987
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 75.152.248.1
ip route 0.0.0.0 0.0.0.0 75.152.248.1 254
ip route 0.0.0.0 0.0.0.0 205.206.0.1 254
ip route 192.168.20.2 255.255.255.255 ISM0/0
ip access-list extended outside_access_in
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any host 22.22.22.22 eq 1723
permit tcp any host 22.22.22.22 eq 3389
permit tcp any host 22.22.22.22 eq smtp
permit tcp any host 22.22.22.22 eq 443
permit tcp any host 22.22.22.22 eq domain
permit udp any host 22.22.22.22 eq domain
permit tcp any host 22.22.22.22 eq 123
permit icmp any host 22.22.22.22 unreachable
permit icmp any host 22.22.22.22 echo-reply
permit icmp any host 22.22.22.22 packet-too-big
permit icmp any host 22.22.22.22 time-exceeded
permit icmp any host 22.22.22.22 traceroute
permit icmp any host 22.22.22.22 administratively-prohibited
permit icmp any host 22.22.22.22 echo
permit tcp any host 22.22.22.22 eq 987
permit tcp any host 22.22.22.22 eq 47
permit gre any host 22.22.22.22
permit udp any host 22.22.22.22 eq isakmp
permit esp any host 22.22.22.22
access-list 23 permit any
access-list 101 deny   ip 192.168.20.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 192.168.30.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 deny   ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.30.0 0.0.0.255 any
access-list 110 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 115 permit ip 3.2.21.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.22.0 0.0.0.255 3.2.1.0 0.0.0.255
access-list 115 permit ip 3.2.23.0 0.0.0.255 3.2.1.0 0.0.0.255
Solution: Support forums team

I have the same problem also. Restarting isn't helping and the auto lock/unlock button is on. Plus a couple of time when I turn it on it is asking if I want to power off. That is when I push the button on the front to wake it up. Not the power button on top. I have an IPAd 2. Worked fine before the update.

Configuring inbound NAT for an IP protocol

Hi
How do we configure an inbound NAT for IP protocol 41 from the outside interface to a DMZ host within ASA v9.1? A 1:1 translation is due to the sparse IPs not an option.
ASA v9.1 refuses to configure a service translation when it's not a TCP nor UDP.
Greetings
Roberto

Hello Roberto,
Yeah man, sorry to inform you that it's just not possible...
You cannot do that, all you can do is a one to one mapping or at least the tcp/udp port-forwarding. As your protocol does not have any port, option one is the only option.
The only thing that I have seen like this is the PPTP inspection starting on 8.3 and you will need to enable the inspection for the protocol so you can dynamically allocate the GRE traffic.This without the need for an IP protocol but for what you are looking for there is config,
Sorry!
Regards,

Setting up static nat for ip addresses

We recently switched to a verizon fios line. Our company has two offices (CA, NC). There are servers in NC that we need to be able to print to printers in CA.
We have 5 static IP's from Verizon, I set 3 of the remaining IPs as a static nat to the private ips of the printers. I cannot ping these static public ips. I even have the port forwarding from UDP/TCP set to any for both the Source and Destination ports.
Can anyone help me as to why I cannot ping these IP addresses?
I can ping the private IP's from the private network (CA) that the printers are on.
Solved!
Go to Solution.

No, it does not. But they are working this morning. Maybe the DNS needed to propigate? Not sure but it works now.

WRT610N - Need to Set Static IP for Server and Port Forwarding

Does anyone know how I can assign a static IP for my Home Media Server in the WRT610N router? I need to do this because of the settings I need to set for the server in the Single Port Forwarding.
Thanks in advance!

Never mind. I got it.

Command to see host and static nat for the same object together

I have researched this but cannot find an answer. ASA running version 8.5.
When you create the config using object NAT you enter the commands as follows
object network <object name>
   host x.x.x.x
   nat (inside,outside) static y.y.y.y
When the config is displayed it separates the host and nat commands in two different sections of the config as follows
object network <object name>
   host x.x.x.x
object network <object name>
   nat (inside,outside) static y.y.y.y
Is there a command that will display it all together (like it was typed in)? Show NAT is something like what I am after but without all of the extra info such as translate_hits, untranslate_hits etc. I need this information but cleaning up the output of a show nat is going to be tough.
Any suggestions?
Thanks.

Sorry, show nat detail is what I meant in the original post in place of show nat.   Show nat detail still has all of the extra info I was trying to avoid. Guess I will be editing a text file.
Thanks for the reply.

Static NAT for Secondary IP addresses

I am running a Novell SBS 6.0 SP4 server w/Border Manager 3.6 Sp2 with two
Netcards. My Two public IP address w/different subnets on the same Net
card will keep running but the secondary IP address fail after a few
hours, but can be pinged from inside the Network. The following is how my
config is setup:
Netcard #1(public):
IP #1 - 66.170.173.100 Subnet 255.255.255.240
Static/Dynamic 66.170.173.17 -> 192.xxx.1.22
66.170.173.18 -> 192.xxx.1.23
66.170.173.20 -> 192.xxx.2.25
IP #2 - 66.170.173.17 Subnet 255.255.255.248
Static/Dynamic - Disabled
Secondary Ip Address bound -> 66.170.173.18
-> 66.170.173.20
Netcard #2 (private)- 192.xxx.1.16
The modem is connected directly to Netcard #1 with not router between
them. Is there something wrong with this setup or is there something else
I have to do? My filters seem to be working fine as far as I know.
Thank you,
[email protected]

> hi Ken,
>
> do you have a way to verify that the secondary IP addresses work
properly if
> they're associated to another device?
> What's the agreement you have with your ISP about the two subnet of
> addresses? Are they aware that they're associated to the same physical
> device? I'm wondring if there is something wrong in the wireless system
that
> prevents ARP from working properly in that configuration.
>
> --
> Caterina Luppi
> Novell Support Connection Volunteer Sysop
> <[email protected]> wrote in message
> news:zj7mc.1918$[email protected]..
> > > Hi Ken,
> > >
> > > > Whos router are we talking about? Is it the modem of the ISP just
> > before
> > > > my server or my internal switches for my workstations?
> > >
> > > sorry, my bad. I was referring to the modem of the ISP. I suspect
this
> is
> > > not a modem only, right? I mean, you have an ethernet connection
between
> > the
> > > modem and the BM server, correct? In this case the device of your
ISP is
> > a
> > > modem/router, not a modem only.
> > > Are you using DSL or cable?
> > > --
> > > Caterina Luppi
> > > Novell Support Connection Volunteer Sysop
> > >
> > >
> > Yes, we are running wireless DSL. They called it a modem, but it might
be
> > a router.
> >
> > [email protected]
>
>
I just received an email back from the ISP and they said they have had
troubles with that modem and ARP tables. They are going to swap out the
modem when they get the new type of modems in. I will post back the
outcome when they swap them out.
Thank you for the help,
[email protected]

How to configure static NAT on two internal interfaces?

Cisco Adaptive Security Appliance Software Version 8.4(2)
I need to NAT an IP from my VPN DMZ (192.168.100.26) to two different internal DMZs, DMZ-1 (10.3.255.15) and DMZ-2 (10.3.255.15). Resources in each of those DMZs need to get to that resource in the VPN DMZ.
- NAT works from VPN-DMZ to DMZ-1
- When I add the NAT config to go from VPN-DMZ to DMZ-2, it deletes the config going to DMZ-1.
object network snat-10.3.255.15
host 192.168.100.26
object network snat-10.3.255.15
nat (VPN,DMZ-1) static 10.3.255.15
If I add the following, it removes it from DMZ-1
object network snat-10.3.255.15
nat (VPN,DMZ-2) static 10.3.255.15
How can I keep the same IPs, but use it on two different internal interfaces on the firewall?

I believe you have to create two objects. You can only have a single NAT statement per network object.
object network snat-10.3.255.15-dmz1
host 192.168.100.26
object network snat-10.3.255.15-dmz1
nat (VPN,DMZ-1) static 10.3.255.15
object network snat-10.3.255.15-dmz2
host 192.168.100.26
object network snat-10.3.255.15-dmz2
nat (VPN,DMZ-2) static 10.3.255.15

Overlaping Static NAT Rule

Hello All . I have an issue while creating NAT rule i am having the Error Overlaping Static NAT Rule
Here is the details
I have already configured static NAT for RDP 3389 Traffic to my host 192.168.1.128 which is working fine. (so i can RDP from outside )
However now i want 9090 port to be translated to 3389 for another host 192.168.1.13 (so i can put 9090 port when i do the RDP to reach the .13 server )
i am receving the Error "
Overlaping Static NAT Rule "
I dont understand how can it be overpaped ?
(see screen shot )
Please help how can i have another Rule with PAT to the Translated port in the ASA ?

Hi,
Seems to me that you have the ports the wrong way around in the new configuration.
Your Original port is TCP/9090 which would mean that this would be the actual local port on the host. And you have set the Translated port as TCP/3389 which means that this is the public/mapped port.
Considering you have a Static PAT (Port Forward) already configure for port TCP/3389 this naturally overlaps.
So in the configuration window where you define the ports switch their places and it should be fine.
Hope this helps
- Jouni

Static nat with dual destination

I need to configure static nat for cisco ASA 5500,
here is the topology:
one server (source) with ip 10.211.250.22 /28 (interface : name if dmz_virtual_account)
will static nat to two destinations :
1. to Internet will translated to 202.152.19.196 (Interface : name if Outside_Inet) and,
2. to external network with real address is 10.10.10.1 and will translated to 192.168.168.14 /29 (interface : name if dmz_external)
Need help
and many thanks for any advice
Regards,
Manao

Hi Marvin
my ASA's software running 8.4
Regards,
Manao

Create static nat rule cli

I need to create a static nat rule that allows outside requests to the inside interface using http. I also need to create an access rule for this. Can someone please explain and show me the command I need to use in asa 5500 firewall version 9.x?
Thanks!

Hi,
Do you mean that you want to create Static NAT rule where the local IP address is the actual IP address of the ASA "inside" interface?
If so then that is not possible. You wont be able to connect to the "inside" interface through another interface even when using NAT configuration.
You would have to use VPN connection to be able to connect to the "inside" interface IP address.
Otherwise you will need to connect to the ASA with using the "outside" interface IP address.
If you meant that you want to configure Static NAT for some internal host then the configuration format would be
object network STATIC
host
nat (inside,outside) static
Hope this helps
- Jouni

Configure static NAT for range of ports

Similar Messages

Maybe you are looking for