https://community.cisco.com/t5/network-security/asa-nat-with-port-translation/m-p/3693584#M12778 <P>Thank you for your reply. I would like to explain further of my problem. I did apply a acl but there had an unexpected situation.&nbsp; I want any IP address from outside2 with prot80 translated to 10.0.0.1:81 only. But for my NAT setting, IP address with any port number (443, 22, 23....) will translate to port 81 too. Here is my NAT configuration.</P> <P>&nbsp;</P> <P>object network cisco <BR />host 10.0.0.1</P> <P>&nbsp;</P> <P>object service TCP_81<BR /> service tcp destination eq 81<BR /> <BR />object service TCP_80<BR /> service tcp destination eq 80</P> <P>&nbsp;</P> <P>object service TCP_2010<BR /> service tcp destination eq 2010</P> <P><BR />object service TCP_2020<BR /> service tcp destination eq 2020</P> <P><BR />object-group service NAT_ACL<BR /> service-object object TCP_2010 <BR /> service-object object TCP_2020 <BR /> service-object tcp destination eq https <BR /> service-object tcp destination eq 81</P> <P>&nbsp;</P> <P>access-list Outside2_access_in extended permit object-group NAT_ACL any4 object cisco log <BR /> <BR />access-group Outside2_access_in in interface Outside2</P> <P>&nbsp;</P> <P>nat (Outside2,DMZ) source static any any destination static cisco cisco service TCP_80 TCP_81</P> Thu, 23 Aug 2018 09:20:29 GMT raymand.hau 2018-08-23T09:20:29Z https://community.cisco.com/t5/network-security/asa-nat-with-port-translation/m-p/3691853#M12770 <P style="margin: 0in; margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'Helvetica','sans-serif'; color: #58585b;">Hi all, I have tried to created a NAT that any ip address from outside2&nbsp;with port number 80 translate to DMZ 10.0.0.1:81. This is a part of my configuration. I would like to know the behaviour of NAT with port translation. If a ip address x.x.x.x:443 come from outside 2 then it will not translate to 10.0.0.1:81 and drop the traffic, right? Thanks</SPAN></P> <P style="margin: 0in; margin-bottom: .0001pt; box-sizing: border-box; font-variant-ligatures: normal; font-variant-caps: normal; orphans: 2; text-align: start; widows: 2; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; word-spacing: 0px;"><SPAN style="font-size: 9.0pt; font-family: 'Helvetica','sans-serif'; color: #58585b;">&nbsp;</SPAN></P> <P style="margin: 0in; margin-bottom: .0001pt; box-sizing: border-box; font-variant-ligatures: normal; font-variant-caps: normal; orphans: 2; text-align: start; widows: 2; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; word-spacing: 0px;"><STRONG style="box-sizing: border-box;"><SPAN style="font-size: 9.0pt; font-family: 'Helvetica','sans-serif'; color: #58585b;">object network cisco&nbsp;</SPAN></STRONG><SPAN style="font-size: 9.0pt; font-family: 'Helvetica','sans-serif'; color: #58585b;"><BR style="box-sizing: border-box;" /> <STRONG style="box-sizing: border-box;"><SPAN style="font-family: 'Helvetica','sans-serif';">host 10.0.0.1</SPAN></STRONG></SPAN></P> <P style="margin: 0in; margin-bottom: .0001pt; box-sizing: border-box; font-variant-ligatures: normal; font-variant-caps: normal; orphans: 2; text-align: start; widows: 2; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; word-spacing: 0px;"><SPAN style="font-size: 9.0pt; font-family: 'Helvetica','sans-serif'; color: #58585b;">&nbsp;</SPAN></P> <P style="margin: 0in; margin-bottom: .0001pt; box-sizing: border-box; font-variant-ligatures: normal; font-variant-caps: normal; orphans: 2; text-align: start; widows: 2; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; word-spacing: 0px;"><STRONG style="box-sizing: border-box;"><SPAN style="font-size: 9.0pt; font-family: 'Helvetica','sans-serif'; color: #58585b;">nat (Outside2,DMZ) source static any any destination static cisco cisco service TCP_80 TCP_81</SPAN></STRONG></P> Fri, 21 Feb 2020 16:07:52 GMT https://community.cisco.com/t5/network-security/asa-nat-with-port-translation/m-p/3691853#M12770 raymand.hau 2020-02-21T16:07:52Z https://community.cisco.com/t5/network-security/asa-nat-with-port-translation/m-p/3691874#M12773 <P>a port forward/NAT needs to be accompanied with an access list, so if you port forward tcp/80&nbsp; the your acl will need to allow port 80 to the real IP address,&nbsp; if that does not include port 443, then yes it will get dropped.</P> Tue, 21 Aug 2018 04:37:49 GMT https://community.cisco.com/t5/network-security/asa-nat-with-port-translation/m-p/3691874#M12773 Dennis Mink 2018-08-21T04:37:49Z https://community.cisco.com/t5/network-security/asa-nat-with-port-translation/m-p/3693584#M12778 <P>Thank you for your reply. I would like to explain further of my problem. I did apply a acl but there had an unexpected situation.&nbsp; I want any IP address from outside2 with prot80 translated to 10.0.0.1:81 only. But for my NAT setting, IP address with any port number (443, 22, 23....) will translate to port 81 too. Here is my NAT configuration.</P> <P>&nbsp;</P> <P>object network cisco <BR />host 10.0.0.1</P> <P>&nbsp;</P> <P>object service TCP_81<BR /> service tcp destination eq 81<BR /> <BR />object service TCP_80<BR /> service tcp destination eq 80</P> <P>&nbsp;</P> <P>object service TCP_2010<BR /> service tcp destination eq 2010</P> <P><BR />object service TCP_2020<BR /> service tcp destination eq 2020</P> <P><BR />object-group service NAT_ACL<BR /> service-object object TCP_2010 <BR /> service-object object TCP_2020 <BR /> service-object tcp destination eq https <BR /> service-object tcp destination eq 81</P> <P>&nbsp;</P> <P>access-list Outside2_access_in extended permit object-group NAT_ACL any4 object cisco log <BR /> <BR />access-group Outside2_access_in in interface Outside2</P> <P>&nbsp;</P> <P>nat (Outside2,DMZ) source static any any destination static cisco cisco service TCP_80 TCP_81</P> Thu, 23 Aug 2018 09:20:29 GMT https://community.cisco.com/t5/network-security/asa-nat-with-port-translation/m-p/3693584#M12778 raymand.hau 2018-08-23T09:20:29Z