https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869170#M490149 <HTML><HEAD></HEAD><BODY><P>yes correct ,</P><P></P><P>But when these server initiate a connection by what IP they will go out.??/</P><P></P><P>Tx</P></BODY></HTML> Sat, 24 Dec 2011 19:21:11 GMT estelamathew 2011-12-24T19:21:11Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869166#M490145 <P>Hello Experts,</P><P></P><P>Is the static Port Address Translation is bidirectional in 8.4 ???</P><P></P><P>I have configured static port address translation for the 2 server with same Public IP for the port 80 and 23. The strange thing is when they initiate a connection to the outside world they are allowed access to the internet as they are not included in the Dynamic Port address translation pool.</P><P>object network inside network.</P><P>subnet 192.168.10.0 255.255.255.0</P><P></P><P></P><P></P><P>Can anybody help me.</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 22:06:23 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869166#M490145 estelamathew 2019-03-11T22:06:23Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869167#M490146 <HTML><HEAD></HEAD><BODY><P> Please post your configuration.</P></BODY></HTML> Sat, 24 Dec 2011 16:16:49 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869167#M490146 ajay chauhan 2011-12-24T16:16:49Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869168#M490147 <HTML><HEAD></HEAD><BODY><P>ciscoasa(config-network-object)# sh running-config </P><P>: Saved</P><P>:</P><P>ASA Version 8.4(2) </P><P>!</P><P>hostname ciscoasa</P><P>enable password 8Ry2YjIyt7RRXU24 encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 192.168.20.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.10.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Ethernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P> management-only</P><P>!</P><P>ftp mode passive</P><P>object network all</P><P> subnet 192.168.10.0 255.255.255.0</P><P>object network static</P><P> host 2.2.2.2</P><P>object network PAT</P><P> host 10.10.10.1</P><P></P><P>access-list outside extended permit tcp any host 2.2.2.2 eq telnet </P><P>access-list outside extended permit tcp any host 10.10.10.1 eq www </P><P></P><P>pager lines 24</P><P>logging enable</P><P>logging buffered notifications</P><P>logging asdm informational</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu management 1500</P><P>no failover&nbsp;&nbsp; </P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>object network all</P><P> nat (inside,outside) dynamic 192.168.20.5</P><P>object network static</P><P> nat (inside,outside) static 3.3.3.3 service tcp telnet telnet </P><P>object network PAT</P><P> nat (inside,outside) static 3.3.3.3 service tcp 8080 www </P><P>access-group outside in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 192.168.20.2 1</P><P>route inside 2.2.2.0 255.255.255.0 192.168.10.2</P><P>route inside 10.10.10.0 255.255.255.0 192.168.10.2</P></BODY></HTML> Sat, 24 Dec 2011 19:00:14 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869168#M490147 estelamathew 2011-12-24T19:00:14Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869169#M490148 <HTML><HEAD></HEAD><BODY><P>Hello Estela,</P><P></P><P>You are doing port-forwarding, this kind of nat is just for inbound connections.</P><P></P><P>Static will always be bi-directional, port-forwarding will be for communications innitiated on the lower security level interface. </P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Sat, 24 Dec 2011 19:13:10 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869169#M490148 Julio Carvajal 2011-12-24T19:13:10Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869170#M490149 <HTML><HEAD></HEAD><BODY><P>yes correct ,</P><P></P><P>But when these server initiate a connection by what IP they will go out.??/</P><P></P><P>Tx</P></BODY></HTML> Sat, 24 Dec 2011 19:21:11 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869170#M490149 estelamathew 2011-12-24T19:21:11Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869171#M490150 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Will use the PAT ip address : 192.168.20.5</P><P></P><P>Regards,</P><P></P><P>Do rate helpful posts</P><P></P><P>Julio</P></BODY></HTML> Sat, 24 Dec 2011 19:37:33 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869171#M490150 Julio Carvajal 2011-12-24T19:37:33Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869172#M490151 <HTML><HEAD></HEAD><BODY><P>yes,</P><P></P><P>This is my concern, this is what not happening just see the logs below. I just initiate a connection from these servers and it is successful though their addresses are not included in PAT pool, still they are going out, how come??????????????</P><P></P><P>ciscoasa(config)# sh conn</P><P>1 in use, 10 most used</P><P>TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:00:12, bytes 149, flags UIO</P><P></P><P></P><P>ciscoasa(config)# sh xlate </P><P>2 in use, 4 most used</P><P>Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice</P><P>TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 0:41:35 timeout 0:00:00</P><P>TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 0:02:29 timeout 0:00:00</P><P></P><P></P><P></P><P>ciscoasa(config)# sh local-host </P><P>Interface management: 0 active, 0 maximum active, 0 denied</P><P>Interface inside: 1 active, 2 maximum active, 0 denied</P><P>local host: &lt;10.10.10.1&gt;,</P><P>&nbsp;&nbsp;&nbsp; TCP flow count/limit = 1/unlimited</P><P>&nbsp;&nbsp;&nbsp; TCP embryonic count to host = 0</P><P>&nbsp;&nbsp;&nbsp; TCP intercept watermark = unlimited</P><P>&nbsp;&nbsp;&nbsp; UDP flow count/limit = 0/unlimited</P><P></P><P>&nbsp; Conn:</P><P>&nbsp;&nbsp;&nbsp; TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO</P><P>Interface outside: 1 active, 5 maximum active, 0 denied</P><P>local host: &lt;1.1.1.1&gt;,</P><P>&nbsp;&nbsp;&nbsp; TCP flow count/limit = 1/unlimited</P><P>&nbsp;&nbsp;&nbsp; TCP embryonic count to host = 0</P><P>&nbsp;&nbsp;&nbsp; TCP intercept watermark = unlimited</P><P>&nbsp;&nbsp;&nbsp; UDP flow count/limit = 0/unlimited</P><P></P><P>&nbsp; Conn:</P><P>&nbsp;&nbsp;&nbsp; TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO</P><P></P><P>Tx</P></BODY></HTML> Sat, 24 Dec 2011 19:47:52 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869172#M490151 estelamathew 2011-12-24T19:47:52Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869173#M490152 <HTML><HEAD></HEAD><BODY><P>Hello Estela,</P><P></P><P>I see what you are saying,</P><P></P><P>Can you provide the following packet-tracer</P><P></P><P>packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80</P><P></P><P>Regards,</P><P></P><P>Do please rate helpful posts</P><P></P><P>Julio</P></BODY></HTML> Sat, 24 Dec 2011 20:18:58 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869173#M490152 Julio Carvajal 2011-12-24T20:18:58Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869174#M490153 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>U need the captured packets, from inside to outside, if i m not wrong.</P><P></P><P>I did'nt understood the below line, i dont have the following IP's in my network, i hope it is an example.</P><P>packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80</P><P></P><P>Tx</P></BODY></HTML> Sat, 24 Dec 2011 20:24:07 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869174#M490153 estelamathew 2011-12-24T20:24:07Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869175#M490154 <HTML><HEAD></HEAD><BODY><P>Hello Stela,</P><P></P><P>This will show us all the nat rules, acl, routes that the traffic for that host is hitting, of course is an example. you can use any host on that network.</P><P></P><P>Regards,</P><P></P><P></P><P>Julio</P></BODY></HTML> Sat, 24 Dec 2011 20:37:41 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869175#M490154 Julio Carvajal 2011-12-24T20:37:41Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869176#M490155 <HTML><HEAD></HEAD><BODY><P>Hello Dears</P><P></P><P>Packet tracer for the Static port redirection server IP's.</P><P></P><P>ciscoasa(config)# sh conn </P><P>1 in use, 1 most used</P><P>TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:09, bytes 149, flags UIO</P><P></P><P>ciscoasa(config)# sh xlate</P><P>2 in use, 3 most used</P><P>Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice</P><P>TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 2:11:34 timeout 0:00:00</P><P>TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 2:11:34 timeout 0:00:00</P><P></P><P>ciscoasa(config)# sh local-host </P><P>Interface management: 0 active, 0 maximum active, 0 denied</P><P>Interface inside: 1 active, 2 maximum active, 0 denied</P><P>local host: &lt;2.2.2.2&gt;,</P><P>&nbsp;&nbsp;&nbsp; TCP flow count/limit = 1/unlimited</P><P>&nbsp;&nbsp;&nbsp; TCP embryonic count to host = 0</P><P>&nbsp;&nbsp;&nbsp; TCP intercept watermark = unlimited</P><P>&nbsp;&nbsp;&nbsp; UDP flow count/limit = 0/unlimited</P><P></P><P>&nbsp; Conn:</P><P>&nbsp;&nbsp;&nbsp; TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO</P><P>Interface outside: 1 active, 1 maximum active, 0 denied</P><P>local host: &lt;1.1.1.1&gt;,</P><P>&nbsp;&nbsp;&nbsp; TCP flow count/limit = 1/unlimited</P><P>&nbsp;&nbsp;&nbsp; TCP embryonic count to host = 0</P><P>&nbsp;&nbsp;&nbsp; TCP intercept watermark = unlimited</P><P>&nbsp;&nbsp;&nbsp; UDP flow count/limit = 0/unlimited</P><P></P><P>&nbsp; Conn:</P><P>&nbsp;&nbsp;&nbsp; TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO</P><P></P><P></P><P>ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 28826 1.1.1.1 23&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found flow with id 15, using existing flow</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>Action: allow</P><P></P><P></P><P>#####################################################################################</P><P></P><P>ciscoasa(config)# sh conn </P><P>1 in use, 1 most used</P><P>TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:18, bytes 149, flags UIO</P><P></P><P></P><P>ciscoasa(config)# sh xlate </P><P>2 in use, 3 most used</P><P>Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice</P><P>TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 2:15:10 timeout 0:00:00</P><P>TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80</P><P>&nbsp;&nbsp;&nbsp; flags sr idle 2:15:10 timeout 0:00:00</P><P></P><P>ciscoasa(config)# sh local-host </P><P>Interface management: 0 active, 0 maximum active, 0 denied</P><P>Interface inside: 1 active, 2 maximum active, 0 denied</P><P>local host: &lt;10.10.10.1&gt;,</P><P>&nbsp;&nbsp;&nbsp; TCP flow count/limit = 1/unlimited</P><P>&nbsp;&nbsp;&nbsp; TCP embryonic count to host = 0</P><P>&nbsp;&nbsp;&nbsp; TCP intercept watermark = unlimited</P><P>&nbsp;&nbsp;&nbsp; UDP flow count/limit = 0/unlimited</P><P></P><P>&nbsp; Conn:</P><P>&nbsp;&nbsp;&nbsp; TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO</P><P>Interface outside: 1 active, 1 maximum active, 0 denied</P><P>local host: &lt;1.1.1.1&gt;,</P><P>&nbsp;&nbsp;&nbsp; TCP flow count/limit = 1/unlimited</P><P>&nbsp;&nbsp;&nbsp; TCP embryonic count to host = 0</P><P>&nbsp;&nbsp;&nbsp; TCP intercept watermark = unlimited</P><P>&nbsp;&nbsp;&nbsp; UDP flow count/limit = 0/unlimited</P><P></P><P>&nbsp; Conn:</P><P>&nbsp;&nbsp;&nbsp; TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO</P><P></P><P>ciscoasa(config)# packet-tracer input inside tcp 10.10.10.1 31862 1.1.1.1 23</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found flow with id 17, using existing flow</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>Action: allow</P><P></P><P>Thanks</P></BODY></HTML> Sun, 25 Dec 2011 06:55:20 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869176#M490155 estelamathew 2011-12-25T06:55:20Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869177#M490159 <HTML><HEAD></HEAD><BODY><P> Post full trace all phase.</P></BODY></HTML> Sun, 25 Dec 2011 07:39:55 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869177#M490159 ajay chauhan 2011-12-25T07:39:55Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869178#M490161 <HTML><HEAD></HEAD><BODY><P>Hello Estela,</P><P></P><P>You are using an exisiting flow for the packet tracer that is not what I am looking for.....</P><P>I want you to do the following packet tracer please!</P><P></P><P>packet-tracer input inside tcp 10.10.10.1 1025 1.1.1.1 23</P></BODY></HTML> Sun, 25 Dec 2011 07:41:58 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869178#M490161 Julio Carvajal 2011-12-25T07:41:58Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869179#M490165 <HTML><HEAD></HEAD><BODY><P>The source port what i m using is 23 and the destination is also 23 , Is it OK or i m wrong.Please correct if this is not enough.</P><P></P><P>In such case when i don't know the source port what i shld use. </P><P></P><P>ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 23 1.1.1.1 23</P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; outside</P><P></P><P>Phase: 2</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 3</P><P>Type: NAT</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>object network static</P><P> nat (inside,outside) static 3.3.3.3 service tcp telnet telnet </P><P>Additional Information:</P><P>Static translate 2.2.2.2/23 to 3.3.3.3/23</P><P></P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P>Phase: 5</P><P>Type: FLOW-CREATION</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 2368, packet dispatched to next module</P><P></P><P>Result:</P><P>input-interface: inside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P></BODY></HTML> Sun, 25 Dec 2011 08:37:49 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869179#M490165 estelamathew 2011-12-25T08:37:49Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869180#M490167 <HTML><HEAD></HEAD><BODY><P>Hello Estela,</P><P></P><P>You need to use a random port, but for this monitoring purposes its okay, I saw what I was looking for.</P><P></P><P>That traffic is hitting the static rule, seems like on ASA version 8.3 and prior the static port-forwarding will be taken biderectional.</P><P></P><P>Are you looking for just inbound connections or it is okay if its bi-derectional?</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Sun, 25 Dec 2011 18:22:46 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869180#M490167 Julio Carvajal 2011-12-25T18:22:46Z https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869181#M490169 <HTML><HEAD></HEAD><BODY><P>Tx Julio,</P><P></P><P>Suppose if i m looking only inbound then what i have to do??</P><P></P><P>Thanks</P></BODY></HTML> Sun, 25 Dec 2011 19:25:42 GMT https://community.cisco.com/t5/network-security/static-port-address-translation-8-4/m-p/1869181#M490169 estelamathew 2011-12-25T19:25:42Z