We are currently replacing a linux firewall for a client with an ASA 5520 and we are trying to replicate their existing configuration/translations
over too the ASA.
On their existing linux firewall they have following translations -
DNAT tcp -- 203.x.x.161 202.O.O.225 tcp dpt:3389 to:192.168.100.9:3389
DNAT tcp -- 58.y.y.60 202.O.O.225 tcp dpt:3389 to:192.168.26.11:3389
Basically they are static translating on port 3389 but translating through to different inside hosts dependent on source.
I tried to use policy NAT to do this but had no luck if I used 1 ACL and Two static statements -
access-list test extended permit tcp host 192.168.26.11 eq 3389 host 58.y.y.60
access-list test extended permit tcp host 192.168.100.9 eq 3389 host 203.x.x.161
static (inside,outside) tcp interface 3389 access-list test
I get this error - access-list used in static has different local addresses
If I try it with seperate ACL's and statements
access-list test extended permit tcp host 192.168.26.11 eq 3389 host 58.y.y.60
access-list test2 extended permit tcp host 192.168.100.9 eq 3389 host 203.x.x.161
static (inside,outside) tcp interface 3389 access-list test
static (inside,outside) tcp interface 3389 access-list test2
I Get this error - ERROR: mapped-address conflict with existing static
Is there anyway to have two static translations on the same tcp port and same interface address with external source address being used to determine which translation is used?
Thanks
Start Free Trial
