• Advertisement

Static PAT in Nat/Global conflict

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Static PAT in Nat/Global conflict

Postby Guest » Mon Mar 08, 2010 2:56 pm


I seem to have a problem because of a conflict between the static PAT and the nat/global pool.

I have a config with the following static's and ACL's. (192.169.10.2 and 192.168.10.3 are two address on the same adapter in the same server)

static (dmz,outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0

 

static (dmz,outside) 212.xx.xx.5 192.168.10.3 netmask 255.255.255.255 0 0

access-list 100 line 7 permit tcp any host 212.xx.xx.4 eq www

access-list 100 line 8 permit tcp any host

212.xx.xx.5 eq ftp

access-list 100 line 9 permit tcp any host 212.xx.xx.5 eq ftp-data

With this new config when I have issued the "cl xlate" I can externally use the website and the FTP site.

However, as soon as the server (192.6.12.2/3) connects to the internet the static PAT stops working:

static (dmz,outside) tcp 212.xx.xx.4 www 192.168.10.2 5080 netmask 255.255.255.255 0 0

Interestingly the one-to-one static (ftp) continues to work:

If I do a "show xlate" it mentions a "Global 212.xx.xx.22 Local 192.168.10.2" . Presumably this is why it isn't working as it has now taken an address from the global pool and is no longer using 212.xx.xx.4. I'm not sure why this conflict happens?  Any help much appreciated.

Dan

Guest
 

Advertisement

Re:Static PAT in Nat/Global conflict

Postby Guest » Mon Mar 08, 2010 3:42 pm


Hello Dan,

Please note that you have done a static for 192.168.10.2 only for the traffic on tcp local 5080.  due to this any other traffic , like browsing etc will not be statically natted and will take a global IP.

The ftp works because its a pure static NAT and not a static PAT as done for 192.168.10.2.

Change the static PAT into a static NAt if the server 192.168.10.2 is going to use other applications:

static(dmz,outside) 212.xx.xx.4 192.168.10.2 netmask 255.255.255.255 0 0.

change this and let us know if it solves your problem.

All the best.. rate all replies if found useful...

Guest
 

Re:Static PAT in Nat/Global conflict

Postby Guest » Mon Mar 08, 2010 4:42 pm


The problem is though that the webserver (apache) runs on port 5080 - so as not to conflict with IIS.

I therefore need a translation from port 80 externally to port 5080 internally. I can only do this with a static PAT can't I?

Thanks for you help.

Dan

Guest
 

Re:Static PAT in Nat/Global conflict

Postby Guest » Mon Mar 08, 2010 6:20 pm


Hi dan,

if you are going to access the webserver on port 5080 directly , by typing some sort of URL like www.xyz.com:5080 , then you can do a direct static NAT , as told by me in my last post and open port 5080 on the PIX for incoming connections..

by doing this you can still reach the webserver on port 5080.. no need of static PAT..

hope this helps..

All the best !!

Guest
 

Re:Static PAT in Nat/Global conflict

Postby Guest » Mon Mar 08, 2010 6:34 pm


Yes, unfortuantely it is a site for customers and they won't take kindly to this!

Dan

Guest
 

Next


  • Advertisement


Similar topics

Disaster 877 has only romon and conflict ip, need help?
Forum: Anything Networking
Author: Anonymous
Replies: 7

Static entry on ASA
Forum: Cisco Switching
Author: Anonymous
Replies: 3

Remote Site Issue With Redistributed Static Routes
Forum: Anything Networking
Author: Anonymous
Replies: 8

PPPoe with Static IP
Forum: Cisco Security
Author: Anonymous
Replies: 4

From outside to inside access ( number of static map)
Forum: Cisco Security
Author: Anonymous
Replies: 23


Return to Cisco Security

Who is online

Users browsing this forum: Google Adsense [Bot] and 2 guests