cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1874
Views
0
Helpful
3
Replies
Highlighted
Participant

ASA nat based on destination port

Hello,

 

I would like to be able to pat a device based on the destination port.  For example:

 

10.10.10.49 (any source any destination) ---- 10.10.10.50 (asa) ----- PAT to ----- 222.222.222.222

 

But also be able to do this:

 

10.10.10.49 (any source, destination port 25) ---- 10.10.10.50 (asa) -----PAT to ----- 223.223.223.223

 

Is this possible to do with ASA version 9.1?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Hello, It is possible with

Hello,

 

It is possible with Twice Nat Dan.

 

So  first of all 

10.10.10.49 (any source any destination) ---- 10.10.10.50 (asa) ----- PAT to ----- 222.222.222.222

For that one you could simply do a one to one translation or a PAT which does not makes sense to do a PAT for just a single IP address

10.10.10.49 (any source, destination port 25) ---- 10.10.10.50 (asa) -----PAT to ----- 223.223.223.223

For this one you can do 

object service TCP_SMTP_Destination

service tcp destination eq 25

object network host_10.10.10.49

host 10.10.10.49

object host host_223.223.223.223

 

Then

nat (inside,outside) source dynamic host_10.10.10.49 host_223.223.223.223 destination static any any service TCP_SMTP_Destination TCP_SMTP_Destination

 

Makes sense?

 

Regards

 

 

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3 REPLIES 3

Hello, It is possible with

Hello,

 

It is possible with Twice Nat Dan.

 

So  first of all 

10.10.10.49 (any source any destination) ---- 10.10.10.50 (asa) ----- PAT to ----- 222.222.222.222

For that one you could simply do a one to one translation or a PAT which does not makes sense to do a PAT for just a single IP address

10.10.10.49 (any source, destination port 25) ---- 10.10.10.50 (asa) -----PAT to ----- 223.223.223.223

For this one you can do 

object service TCP_SMTP_Destination

service tcp destination eq 25

object network host_10.10.10.49

host 10.10.10.49

object host host_223.223.223.223

 

Then

nat (inside,outside) source dynamic host_10.10.10.49 host_223.223.223.223 destination static any any service TCP_SMTP_Destination TCP_SMTP_Destination

 

Makes sense?

 

Regards

 

 

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Re: Hello, It is possible with

Hi:

how will it be done if my internal network a /24 (being natted too) needs to reach to a outside destination with regular port 22 but traffic coming back from outside to my internal network (the natted address) which now will communicate to one of internal host but on port 5530 for example. All internal hosts have the same public. the only difference is each internal host has different port number?

 

how will that work? will it be the same scenario like the nat you mention here? just instead of dynamic its static?

 

nat (inside,outside) source dynamic host_10.10.10.49 host_223.223.223.223 destination static any any service TCP_SMTP_Destination TCP_SMTP_Destination

Participant

Yes this all makse sense.  I

Yes this all makse sense.  I will give it a try.

 

Thanks,

Dan.