topic Re: Source PAT translation in Network Security

Source PAT translation

johnsondnz — Mon, 11 Mar 2019 18:40:22 GMT

Hi there

I'm using a Cisco ASA 5510 and have a conneciton that needs to establish from the inside to the outside of the network. The issue is the destination for the traffic requires a static source port for the traffic due to their company security policy. Our appluication sourcing the traffic uses a random port when generating the traffic starting from 1024 to 65535.

I have prevously configured a linux box to to such a task where it changes the source port to the required value. I am wondering if anyone has a confiugration example on how I could do this in an ASA usign either 8.2 or 8.3 ASA software.

the flow is below

INSIDE OUTSIDE

192.168.136.16 (random source port) -------> ASA 5510 ---------> DEST IP (1.1.1.1) TCP port 2365

I need the source port to be 4000 as it leaves the outside interface of the ASA. The outisde interface of the FW (10.1.4.190) is used when NATing the address I could however change this to a specific global address.

Any help would be appreciated.

Cheers
Donald Johson

Network Engineer

Airways NZ Ltd

Re: Source PAT translation

praprama — Wed, 15 Sep 2010 00:25:08 GMT

Hey Donald,

You can try using a Static policy PAT as below:

access-list POLICY permit tcp host 192.168.136.16 host 1.1.1.1 eq 2365

static (inside,outside) tcp interface 4000 access-list POLICY

I have a feeling that this command may not be accepted because in the access-list we do not have a "source port" parameter defined but give it a try anyways. Let me know how it goes!!

If it doesn't accept it, try using the below ACL instead:

access-list POLICY permit tcp host 192.168.136.16 gt 1023 host 1.1.1.1 eq 2365

Thanks and Regards,

Prapanch

Re: Source PAT translation

johnsondnz — Wed, 15 Sep 2010 00:38:43 GMT

Thanks Prapanch

Yeah I had a go at that type of configuration in 8.2 a couple of days ago and neither is accepted. The issue is the POLICY ACL needs to define a local port and for the second option the ASA can't deal with port ranges which is a real bummer.

I downloaded ASA software version 8.3 this morning as it can handle object groups with the new way NAT is handled however I have been unable to devise a solution due to my inexpereince with this version.

I've tried the following;

object service AFTN-Dst
service tcp destination eq 4000

object service AFTN-Source-Ports
service tcp source range 1023 65535

object network DEV-AMS
host 192.168.136.16

nat (inside,outside) source dynamic AFTN_CLIENTS interface service AFTN-Dst AFTN-Source-Ports

Using packet tracer the source port continue to remain the same;

packet-tracer input AMSa tcp 192.168.136.16 1259 1.1.1.1 2365

<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302013: Built outbound TCP connection 29 for DMZ:1.1.1.1/2365 (1.1.1.1/2365) to AMSa:192.168.136.16/1259 (192.168.136.16/1259)
<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302014: Teardown TCP connection 29 for DMZ:1.1.1.1/2365 to AMSa:192.168.136.16/1259 duration 0:00:00 bytes 0 Free the flow created as result of packet injection

This configuration is completely new to me and I've not used 8.3 before today so its most likely wrong . Any ideas?