How to NAT/Change destination IP and Port

mo shea — Tue, 12 Mar 2019 07:53:13 GMT

Hello,

I have a scenario where a Server A (IP x.x.x.x) on the outside interface of ASA (5525x IOS 9.6) is configured to send TCP and UDP traffic to Server B (IP y.y.y.y) on the inside. Using static routes I am able to successfully test connectivity between Servers A and B (no static NAT for server B currently)

I want (but not sure how) to achieve the following,

- Intercept the incoming TCP / UDP stream from Server A

- change (or NAT) the source IP x.x.x.x of Server A to an IP (a.a.a.a) in the same subnet as the ASA's inside subnet

- Manipulate the original packet destination address. I want the TCP stream to retain the destination as Server B (y.y.y.y) but send UDP traffic to a Server C (c.c.c.c) on the inside

So at the end I would expect Server B to receive TCP traffic from source IP a.a.a.a and Server C to receive UDP traffice from source a.a.a.a

I was reading about Twice NAT but could not grasp the concept properly.

All help is appreciated

Regards,

Moe Shea

Hi

Francesco Molino — Tue, 14 Jun 2016 22:45:33 GMT

Based on your input/requirements, below nat commands and object groups. I keep same name as your example:(IP are ones used on my lab)

object network SERVER-C
host 172.16.0.3
object service TCP
service tcp
object service UDP
service udp
object network SERVER-A
host 11.0.0.1
object network IP-NAT-INTERNAL
host 172.16.0.5
object network SERVER-B
host 172.16.0.2
!
nat (outside,inside) source static SERVER-A IP-NAT-INTERNAL destination static SERVER-B SERVER-B service TCP TCP
nat (outside,inside) source static SERVER-A IP-NAT-INTERNAL destination static SERVER-B SERVER-C service UDP UDP
!

Below some output of TCP connection from SERVER-A going to SERVER-B:

*Jun 14 18:08:20.481: IP: s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.2, len 44, input feature
*Jun 14 18:08:20.483: TCP src=33705, dst=23, seq=3896161050, ack=0, win=4128 SYN, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 14 18:08:20.486: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 172.16.0.5 dst 172.16.0.2
*Jun 14 18:08:20.486: FIBfwd-proc: Default:172.16.0.2/32 receive entry
*Jun 14 18:08:20.489: FIBipv4-packet-proc: packet routing failed
*Jun 14 18:08:20.489: IP: tableid=0, s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.2 (GigabitEthernet0/1), routed via RIB
*Jun 14 18:08:20.491: IP: s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.2 (GigabitEthernet0/1), len 44, rcvd 3
*Jun 14 18:08:20.491: TCP src=33705, dst=23, seq=3896161050, ack=0, win=4128 SYN
*Jun 14 18:08:20.493: IP: s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.2, len 44, stop process pak for forus packet
*Jun 14 18:08:20.493: TCP src=33705, dst=23, seq=3896161050, ack=0, win=4128 SYN
*Jun 14 18:08:20.502: FIBipv4-packet-proc: route packet from (local) src 172.16.0.2 dst 172.16.0.5
*Jun 14 18:08:20.502: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 172.16.0.5
*Jun 14 18:08:20.502: FIBipv4-packet-proc: packet routing succeeded
*Jun 14 18:08:20.503: IP: s=172.16.0.2 (local), d=172.16.0.5 (GigabitEthernet0/1), len 44, sending
*Jun 14 18:08:20.503: TCP src=23, dst=33705, seq=943713372, ack=3896161051, win=4128 ACK SYN
*Jun 14 18:08:20.505: IP: s=172.16.0.2 (local), d=172.16.0.5 (GigabitEthernet0/1), len 44, sending full packet
*Jun 14 18:08:20.506: TCP src=23, dst=33705, seq=943713372, ack=3896161051, win=4128 ACK SYN
*Jun 14 18:08:20.519: IP: s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.2, len 40, input feature
*Jun 14 18:08:20.521: TCP src=33705, dst=23, seq=3896161051, ack=943713373, win=4128 ACK, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Below some output of UDP connection from SERVER-A going to SERVER-B but forwarded on SERVER-C:

*Jun 14 18:13:17.663: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if GigabitEthernet0/1 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0
*Jun 14 18:13:17.663: IP: s=172.16.0.3 (local), d=172.16.0.5 (GigabitEthernet0/1), len 56, sending
*Jun 14 18:13:17.665: ICMP type=3, code=3
*Jun 14 18:13:17.667: IP: s=172.16.0.3 (local), d=172.16.0.5 (GigabitEthernet0/1), len 56, encapsulation failed
*Jun 14 18:13:17.668: ICMP type=3, code=3
*Jun 14 18:13:17.669: IP: s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.3, len 28, input feature
*Jun 14 18:13:17.670: UDP src=49172, dst=33434, packet consumed, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jun 14 18:13:20.244: IP: s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.3, len 28, rcvd 0
*Jun 14 18:13:20.244: UDP src=49173, dst=33435
*Jun 14 18:13:20.245: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 172.16.0.5 dst 172.16.0.3
*Jun 14 18:13:20.245: FIBfwd-proc: Default:172.16.0.3/32 receive entry
*Jun 14 18:13:20.247: FIBipv4-packet-proc: packet routing failed
*Jun 14 18:13:20.248: IP: tableid=0, s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.3 (GigabitEthernet0/1), routed via RIB
*Jun 14 18:13:20.248: FIBipv4-packet-proc: route packet from (local) src 172.16.0.3 dst 172.16.0.5
*Jun 14 18:13:20.249: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 172.16.0.5
*Jun 14 18:13:20.250: FIBipv4-packet-proc: packet routing succeeded
*Jun 14 18:13:20.250: IP: s=172.16.0.3 (local), d=172.16.0.5 (GigabitEthernet0/1), len 56, sending
*Jun 14 18:13:20.251: ICMP type=3, code=3
*Jun 14 18:13:20.252: IP: s=172.16.0.3 (local), d=172.16.0.5 (GigabitEthernet0/1), len 56, sending full packet
*Jun 14 18:13:20.253: ICMP type=3, code=3
*Jun 14 18:13:20.255: IP: s=172.16.0.5 (GigabitEthernet0/1), d=172.16.0.3, len 28, input feature
*Jun 14 18:13:20.256: UDP src=49173, dst=33435, packet consumed, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Hope this help.

PS: don't forget to rate and mark as correct answer if this solves your issue.

Thanks

Thanks a lot for your

mo shea — Wed, 15 Jun 2016 05:24:03 GMT

Thanks a lot for your feedback, appreciate your input. I will try it in our network and post an update.

Thanks again

topic Thanks a lot for your in Network Security

How to NAT/Change destination IP and Port

Hi

Thanks a lot for your