We help IT Professionals succeed at work.

ASA 8.2 to 8.4 PAT

wanstor
wanstor asked
on
In the old 8.2 config we have multiple PAT's from the inside to the outside ie;

static (inside,outside) tcp 1.1.1.1 7096 2.2.2.2 7096 netmask 255.255.255.255  dns
 
static (inside,outside) tcp 1.1.1.1 7079 2.2.2.2 7079 netmask 255.255.255.255  dns

When trying this as detailed on https://supportforums.cisco.com/docs/DOC-9129 it should change to:

object network SWITCH-2.2.2.2
host 2.2.2.2
nat (inside,outside) static 1.1.1.1 service tcp 7096 7096
nat (inside,outside) static 1.1.1.1 service tcp 7079 7079

When we try to put this in it will only allow one entry to be placed and overwrite the previous.  We therefore used the NAT before object with the following commands:

 nat (inside,outside) 2 source static 2.2.2.2 overload-1.1.1.1 service tcp-7096 tcp-7096
 nat (inside,outside) 2 source static 2.2.2.2 overload-1.1.1.1 service tcp-7079 tcp-7079

We then put an ACL on the outside interface:

access-list outside_access_in line 2 extended permit tcp host 3.3.3.3 object overload-1.1.1.1 eq 7079

We see hits on the ACL but we do not get any connection.
Comment
Watch Question

Senior infrastructure engineer
Top Expert 2012
Commented:
The thing is that you need to create two objects (hurray for the new nat......)
So like:

object network SWITCH-2.2.2.2-7096
host 2.2.2.2
nat (inside,outside) static 1.1.1.1 service tcp 7096 7096

object network SWITCH-2.2.2.2-7079
host 2.2.2.2
nat (inside,outside) static 1.1.1.1 service tcp 7079 7079

Pete LongTechnical Consultant
Distinguished Expert 2019

Commented:
>>(hurray for the new nat......)

<grin>

Author

Commented:
Hurray is one word.  I can think of many alternatives :-)

Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented: