topic Re: Can Source NAT maps static source to destination port in Cisco ASA in Network Security

Can Source NAT maps static source to destination port in Cisco ASA

ManadarDesai2895 — Wed, 20 Mar 2024 13:49:33 GMT

Hi Community,

We have Source NAT configured on one of our Cisco ASA with given details. Can I achieve static mapping of source & destination port for this? Is it feasible in Cisco ASA?

Private Original IP - 192.168.1.1

Destination IPs - 1.1.1.1 & 2.2.2.2

Traffic from 192.168.1.1 towards 1.1.1.1 & 2.2.2.2 (all services) would get source NATted to 192.168.2.2.

Is it possible to configure static mapping of source ports coming from 1.1.1.1/2.2.2.2 towards destination port of 192.168.1.1.

Re: Can Source NAT maps static source to destination port in Cisco ASA

Rob Ingram — Wed, 20 Mar 2024 14:07:32 GMT

@ManadarDesai2895

Example:-

object network REAL-SRC
host 192.168.1.1
object network TRANSLATED-SRC
host 192.168.2.2
object network REAL-DST-1
host 1.1.1.1
object network REAL-DST-2
host 2.2.2.2

nat (INSIDE,OUTSIDE) source static REAL-SRC TRANSLATED-SRC destination static REAL-DST-1 REAL-DST-1
nat (INSIDE,OUTSIDE) source static REAL-SRC TRANSLATED-SRC destination static REAL-DST-2 REAL-DST-2

Just replace the interface names (if required).

Re: Can Source NAT maps static source to destination port in Cisco ASA

MHM Cisco World — Wed, 20 Mar 2024 14:52:00 GMT

Sure why not

You can include port in your NAT command.

MHM

Re: Can Source NAT maps static source to destination port in Cisco ASA

MHM Cisco World — Wed, 20 Mar 2024 14:53:22 GMT

I Now can run lab
what is
real source IP
mapped source IP
real dest IP
mapped dest IP
real dest port
mapped dest port

MHM

Re: Can Source NAT maps static source to destination port in Cisco ASA

Aref Alsouqi — Wed, 20 Mar 2024 15:48:57 GMT

Why would you want to change the source ports of the traffic coming from 1.1.1.1 and 2.2.2.2? usually we might change the destination ports of the traffic going to the public resource. For example, if you want to change the destination port to something else you can do something similar to this:

object network PUBLIC-1-SERVER
host 1.1.1.1
object network PUBLIC-2-SERVER
host 2.2.2.2
object network PRIVATE-1-SERVER
host 192.168.1.1
object network PRIVATE-2-SERVER
host 192.168.2.2

object service TCP-80
service tcp source eq 80
object service TCP-8081
service tcp source eq 8081
object service TCP-8081
service tcp source eq 8082

nat (inside,outside) source static PRIVATE-1-SERVER PRIVATE-2-SERVER static PUBLIC-1-SERVER PUBLIC-1-SERVER service TCP-80 TCP-8081
nat (inside,outside) source static PRIVATE-1-SERVER PRIVATE-2-SERVER static PUBLIC-2-SERVER PUBLIC-2-SERVER service TCP-80 TCP-8082

I don't believe the ASA would complain about using TCP-80 service on both NAT rules, but please give it a try and see if it works.

What those rules do they would redirect the traffic destined to port 80 to port 8081 when the traffic is coming from 1.1.1.1 and they would change the port to 8082 when the traffic is coming from 2.2.2.2.

Re: Can Source NAT maps static source to destination port in Cisco ASA

ManadarDesai2895 — Thu, 21 Mar 2024 06:27:11 GMT

Hi Aref,

This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?

nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP

object network TP-SBC-DMZ-IP
host 192.168.1.1

object network TCL-SBC-NAT-IP
host 192.168.2.2

object network TCL-SIP-PUB-IP
host 1.1.1.1

Re: Can Source NAT maps static source to destination port in Cisco ASA

ManadarDesai2895 — Thu, 21 Mar 2024 06:27:40 GMT

Hi Rob,

This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?

nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP

object network TP-SBC-DMZ-IP
host 192.168.1.1

object network TCL-SBC-NAT-IP
host 192.168.2.2

object network TCL-SIP-PUB-IP
host 1.1.1.1

Re: Can Source NAT maps static source to destination port in Cisco ASA

ManadarDesai2895 — Thu, 21 Mar 2024 06:28:00 GMT

Hi MHM,

This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?

nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP

object network TP-SBC-DMZ-IP
host 192.168.1.1

object network TCL-SBC-NAT-IP
host 192.168.2.2

object network TCL-SIP-PUB-IP
host 1.1.1.1

Re: Can Source NAT maps static source to destination port in Cisco ASA

Aref Alsouqi — Thu, 21 Mar 2024 13:47:13 GMT

The above NAT config does not do anything with the ports, it just translates the TP-SBC-DMZ-IP to TCL-SBC-NAT-IP when the traffic is going to/coming from TLC-SIP-PUB-IP over the interfaces SBC-DMZ and OUTSIDE-TCL.

Re: Can Source NAT maps static source to destination port in Cisco ASA

MHM Cisco World — Thu, 21 Mar 2024 14:26:07 GMT

the IP I think you get how you can NAT it static or dynamic
for port in service object you can specify if Port is source or destination then you can add service objects to NAT.

MHM

Re: Can Source NAT maps static source to destination port in Cisco ASA

ckinard — Mon, 16 Sep 2024 17:09:15 GMT

I have a similar requirement. In my case, ATT Fiber gateway blocks NTP port 123 (source only ---> Internet). I want to map the source port to 1024 for the NTP service on inside interface going to Internet (inbound on inside interface), and re-map reply destination (1024 back to 123) for outbound on inside interface to my local network NTP source.
Thanks in Advance any and all
Calvin

Re: Can Source NAT maps static source to destination port in Cisco ASA

MHM Cisco World — Mon, 16 Sep 2024 17:17:04 GMT

Make new post if yoh can

MHM