Link to home
Create AccountLog in
Avatar of rperault

asked on

Creating NAT and Access Rules Cisco ASA

I must be doing something wrong here. I have an Application called Reliweb which need to access a Server using port 2837. What I am looking for is a NAT and Access rule for this.

I ahve done this many times before but for some strange reason I can not get it to Connect. I have created thr NAT and Service Object for the Port and the Access rule. But when I test it through the Application and through TELNET I cannot connect

I need to connect throught the OUTSIDE Interface for Giggles
translated to INSIDE Private IP using port 2837
I am using ADSM to connect to my Firewall so I have created them Manually and through the CLI. If someone could give me the CLI Command lines that would be great. I nedd to get this working.

Avatar of jlindler

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of rperault


Thanks, I just found out I couldn't get anything to work

Conflicts with Existing Statics Therefore I can not create NAT's as it will not allow me to.

Anything you can think of to get me around this, or do I need more IP's. I tried all the IP's That I have. Checked all my NAT's and they are all being used for other protocals

Result of the command: "static (inside,outside) tcp 2837 2837 netmask"

ERROR: mapped-address conflict with existing static
  inside: to outside: netmask

Result of the command: "static (inside,outside) netmask"

ERROR: mapped-address conflict with existing static
  inside: to outside: netmask
You can use Port Address Translation to "share" your external IP's among hosts:

For example:
static (inside,outside) tcp 2837 2837 netmask
static (inside,outside) tcp 80 80 netmask

Both machines are utilizing the external IP but with different ports, and the PIX is using PAT to send traffic to the appropriate server.  This should work fine for multiple servers as long as they do not need to use the same external port!!
BTW, you will need to delete the static NAT mapping (one-to-one) for the external address you are working with before you add the PAT ones or you will receive the warning you saw above.   Note - a NAT mapping for a giving IP will "override" the PAT mapping.
My Problem is that all my IPs are NAT'd to Different Servers. and one is for the DMZ. I can't NAT the Same External IP to two Different Interal IPs can I?
Yep!  PAT will allow you to map an IP and port combination to server instead of dedicating the entire IP address in a one-to-one manner.   The only hang up is if both servers need to have clients accessing the same external IP/port combination.   For example, I could have a web server (TCP port 80), a RDP server (TCP port 3389), and a NTP server (UDP port 123) - all different boxes with different internal addresses offering services on different ports - mapped to one external IP.  

Example Servers:
Web -

External IP:

Comand Line:
static (inside,outside) tcp 80 80 netmask
static (inside,outside) tcp 3389 3389 netmask
static (inside,outside) udp 123 123 netmask
In order to remove the old one to one static, you should determine what ports are currently used by Lets assume it is a mail server with port 25 open inbound. Off hours, perform this:
no static (inside,outside) netmask
static (inside,outside) 25 25 netmask
static (inside,outside) 2837 2837 netmask

And then of course you have an access rule as jlindler first suggested.