ASA 5510 (9.2)

Lucio Garrido · ‎05-17-2016

Hello everyone,

Please can you help me about a rule static Nat one to one is not working well. IN the rule I have three services or three ports tcp 3299, 3200 and 3300, this ports are Nating by the IP address P.P.P.P, when I try test the conection from the outside, the port open correctly, the IP addres P.P.P.P recive the traffic but the outside interface with IP address Y.Y.Y.Y is used for outgoing of this traffic, this is not correct, the traffic outgoing should use the IP Address P.P.P.P and recibe traffic from these ports over the P.P.P.P address.

This is my current configuration:

object network Server

host h.h.h.h

nat (inside,outside) static P.P.P.P service tcp 3299 3299

access-list outside_in extended permit tcp any4 host h.h.h.h eq 3299

Any comment is well thank you very much.

Henrik Grankvist · ‎05-17-2016

Hi

The dynamic NAT entry that you have is also a object NAT statement I presume? If you run the command "show nat" the dynamic NAT statement has a lower sequence number in that list.

It is better if you use manual NAT statement, instead of an object NAT statement when doing static NAT because manual NAT statements are processed before object NAT statements and you would not run into this problem.

Your NAT statement would look like this using manual NAT:

object network p-host
 host p.p.p.p

object service tcp-eq-3299
 service tcp eq 3299

nat (inside,outside) source static Server p-host service tcp-eq-3299 tcp-eq-3299