I'm having trouble creating a hairpin NAT on an ASA running 9.12(2).
First of all I have this configured for internet access.
object network INSIDE-SUBNET
nat (INSIDE,OUTSIDE) dynamic interface
Secondly I have NAT statements like this for a few internet accessible services on different public IPs.
object network OBJ-FTP-SERVER
nat (INSIDE,OUTSIDE) static 123.123.123.123 service tcp ftp ftp
access-list OUTSIDE-IN extended permit tcp any object FTP eq ftp
But when I try to add a hairpin like this I get an error saying "Unable to reserve ports"
nat (inside,inside) source dynamic INSIDE-SUBNET interface destination static OBJ-123.123.123.123 OBJ-FTP-SERVER service OBJ-SERVICE-21 OBJ-SERVICE-21
The service object looks like this.
object service OBJ-SERVICE-21
service tcp destination eq ftp
Does anyone know what I'm missing here? This very configuration has worked fine for the last 2-3 years.
No comments:
Post a Comment