topic Hi Bellaichef, Your original in Network Security

How to create several service translation for the same host (Static PAT) in Software 8.4+

bellaichef — Tue, 12 Mar 2019 05:22:16 GMT

Hi,

I just got a 5520 in 9.0.4, before I was using 8.2.1 on these machines.

So I noted some changes between these 2 releases.

Regarding the static PAT I'm a little bit blocked.

In 8.2.1 was easily able to publish serveral services for the same host using static PAT this way:

static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask 255.255.255.255

static (inside,outside) tcp 209.165.201.3 http 10.1.2.27 http netmask 255.255.255.255

It's in 8.4.+ it changed to this:

object network MyServer

 host 10.1.2.27

 nat (inside,outside) static 209.165.201.3 service ftp ftp

My problem is when I add the following line:

nat (inside,outside) static 209.165.201.3 service http http

It does not add to the previous one, it replace it.

How I could publish several services for the same server? Don't tell me that I have to create a network object for each service, it can't be so annoying.

Many thx by advance for your answer.

Hello bellaichef,

David Garneau — Tue, 20 Jan 2015 21:09:11 GMT

Hello bellaichef,

I think you will find that your problem is that you are trying to define multiple NAT statements within the object definition. The only NAT statements that should occur within object definition mode are auto-NAT, and each object is limited to one auto-NAT statement. This is why your second NAT is overwriting the first.

You should instead use manual NAT for this.

object network MyServer
 host 10.1.2.27

object network MyServer-Public
 host 209.165.201.3

Then use manual NAT from global config mode:

nat (inside,outside) source static MyServer MyServer-Public service tcp ftp ftp

nat (inside,outside) source static MyServer MyServer-Public service tcp http http

Hi David, Thank you for your

bellaichef — Wed, 21 Jan 2015 08:05:36 GMT

Hi David,

Thank you for your answer. Unfortunatelly it won't do the trick for me because the service works with objects this way and can't be directly the TCP port translation.

So I don't understand how using object method, the firewall could know that 3390 should be forwarded to 3389 and 8443 to 443 for instance.

Are you sure that your method exist on your Firewall? May be it's a software limitation on mine? I'm using a 5520 on 9.0.4 in multiple context mode.

Thank you by advance for your answers.

Franck

Hi Bellaichef, Your original

David Garneau — Wed, 21 Jan 2015 13:23:37 GMT

Hi Franck,

Your original note did not mention that you were wanting to forward to different ports on the inside, so I did not address this in my answer. However, it can be done.

In order to do port forwarding, you must define the port translation in the NAT command as well. So, instead of ending with "service tcp ftp ftp" for instance, you might have a command that ends with "service tcp PORT3389 PORT3390" assuming you had defined such service objects in your configuration.

For example, you could use manual NAT:

object service PORT3389

service tcp destination eq 3389

object service PORT3390

service tcp destination eq 3390

object network RDP-SERVER-PUB

host 209.165.201.3

object network RDP-SERVER

host 10.1.2.27

(exit to global config mode and enter following manual NAT)

nat (inside,outside) source static RDP-SERVER RDP-SERVER-PUB service PORT3389 PORT3390

And yes, I'm quite certain this method exists on ASA firewalls.