I have an ASA configured as follows;
Inside: 192.168.0.254/24
Outside: 10.0.0.1/29 (This is routed to the ASA)
global (outside) 1 interface
global (outside) 2 10.0.0.2
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 2 192.168.0.50 255.255.255.255
static (inside,outside) 10.0.0.2 192.168.0.5 netmask 255.255.255.255
As you can see, there is a default NAT rule to NAT clients to the external IP on their way out. There is also a specific rule to map internal host 192.168.0.50/32 to 10.0.0.2, a different external IP. Finally there is a static mapping for 10.0.0.2 at the end.
I am trying to enter the following static NAT rule to port forward on the external IP 10.0.0.1 to internal host 192.168.0.5;
# static (inside,outside) tcp interface 555 192.168.0.5 555 netmask 255.255.255.255
ERROR: duplicate of existing static
inside:192.168.0.5 to outside:10.0.0.2 netmask 255.255.255.255
I don't understand what's going on here. Can someone explain please?
Best Answer
The static command works both ways: traffic coming for 10.0.0.2 is translated to 192.168.0.5 and traffic from 192.168.0.5 is translated from 10.0.0.2 . You can not map 192.168.0.5 to another address on the outside interface, such as 10.0.0.2 .
You can use the nat command with acl in order to forward specific ports on specific addresses.
For example if you want that outgoing smtp traffic from 192.168.0.5 to be seen as from 10.0.0.2 ( source nat for outgoing traffic ):
And then if you want that incoming http traffic to 10.0.0.1 to be forwarded to 192.168.0.5 you can add this
( of course you have to remove the existing static (inside,outside) 10.0.0.2 192.168.0.5 netmask 255.255.255.255 )