ASA NAT Problem

I'm having trouble with NAT.

This works:
static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255

This doesn't:
static (Internal-201,ELI-External) tcp MY_EXT_IP 3389 192.168.201.114 3389 netmask 255.255.255.255

Why wouldn't the second statement work? I'm positive that I'm typing in the correct external IP. When I attempt to RDP with the second statement instead of the first, it just gives me a connection error.

I think that only the first one works because 'interface' means that it uses PAT and overlaods, whereas the RDP host I'm connecting to doesn't know how to "get back" to me, since I'm inside my own local network. If this is true, then my next question is:
How can I have multiple NAT statements which use the same port, that direct to a certain host, depending on source IP?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

buda

I used to work at Cisco tac, and specifically dealt with the ASA. Its actually a feature of the IOS (I believe above 7.0) that if you specify the ip address of an interface with NAT you have to use the keyword "interface". Its a regular static xlate. This used to generate a lot of cases for us.
see univerCD for more info:
http://www.cisco.com/univercd/home/home.htm

I'm not exactly sure about your second question, but you may try defyning the traffic using an access-list then use that list in your NAT. This wouldnt work statically, only for traffic coming back in to your inside hosts, but I think only one host would work at a time.

Hope that helps.