topic port-forwarding using manual nat (not auto-nat) not working in Network Security

port-forwarding using manual nat (not auto-nat) not working

abcdrohan — Tue, 12 Mar 2019 01:50:19 GMT

I am running 8.6(1)2 on my ASA

It's a lab environment and I am trying to figure out how to do port-forwarding using manual nat

For e.g. I tried following but none of them work (Only one of the following was activated on the FW at a time)

nat (outside,inside) source static any any destination static h-3.3.3.3 local_ip service tcp-www tcp-8080

nat (outside,inside) source static h-3.3.3.3 6.3.3.6 service tcp-www tcp-8080

nat (inside,outside) source static local_ip h-3.3.3.3 destination static any any service 8080 80

Have anyone one of you been able to do port forwarding using manual nat on post 8.2?

Thanks!

port-forwarding using manual nat (not auto-nat) not working

Jouni Forss — Tue, 28 May 2013 20:38:10 GMT

Hi,

A very basic Static PAT / Port Forward on the new software could be something like this (though I personally use Network Object NAT for this)

object network HOST-REAL

host 10.10.10.10

object network HOST-MAPPED

host 1.1.1.1

object service RDP

service tcp source eq 3389

nat (inside,outside) source static HOST-REAL HOST-MAPPED service RDP RDP

access-list OUTSIDE-IN permit any object HOST-REAL eq 3389

access-group OUTSIDE-IN in interface outside

That should pretty much be it.

Naturally there is always a change that some existing other NAT configuration overrides this NAT configuration and traffic will therefore never get matched against this Static PAT configuration

Naturally you can confirm which NAT rule is hit with the "packet-tracer" command.

For example considering my above Static PAT configuration I could try this

packet-tracer input outside tcp 1.2.3.4 12345 1.1.1.1 3389

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. Or ask more

Also I made a NAT 8.3+ document earlier here on the forums if you want to take a look. Though at the moment it only gives examples of some very basic NAT setups

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

port-forwarding using manual nat (not auto-nat) not working

abcdrohan — Tue, 28 May 2013 20:59:52 GMT

I actually figured it out

What I was doing was that I had created tcp-8080 with

service tcp source eq 8080

while the predifned tcp-www is of type

service tcp destination eq www

I had to change

tcp-8080 to

service tcp destination eq 8080 and got it working using

nat (outside,inside) source static any any destination static 6.3.3.6 local_ip service tcp-8080 tcp-www

Thanks!

port-forwarding using manual nat (not auto-nat) not working

Jouni Forss — Tue, 28 May 2013 21:03:26 GMT

Hi,

I would still not configure in such a way.

I tend to avoid using the "any" keyword in the NAT configurations unless its used to define source addresses for the default Dynamic PAT rule.

You seem to have flipped the NAT rules the other way around also.

You are using the "outside" as the source and "inside" as the destination.

- Jouni