08-20-2018 07:43 PM - edited 02-21-2020 08:07 AM
Hi all, I have tried to created a NAT that any ip address from outside2 with port number 80 translate to DMZ 10.0.0.1:81. This is a part of my configuration. I would like to know the behaviour of NAT with port translation. If a ip address x.x.x.x:443 come from outside 2 then it will not translate to 10.0.0.1:81 and drop the traffic, right? Thanks
object network cisco
host 10.0.0.1
nat (Outside2,DMZ) source static any any destination static cisco cisco service TCP_80 TCP_81
08-20-2018 09:37 PM
a port forward/NAT needs to be accompanied with an access list, so if you port forward tcp/80 the your acl will need to allow port 80 to the real IP address, if that does not include port 443, then yes it will get dropped.
08-23-2018 02:20 AM
Thank you for your reply. I would like to explain further of my problem. I did apply a acl but there had an unexpected situation. I want any IP address from outside2 with prot80 translated to 10.0.0.1:81 only. But for my NAT setting, IP address with any port number (443, 22, 23....) will translate to port 81 too. Here is my NAT configuration.
object network cisco
host 10.0.0.1
object service TCP_81
service tcp destination eq 81
object service TCP_80
service tcp destination eq 80
object service TCP_2010
service tcp destination eq 2010
object service TCP_2020
service tcp destination eq 2020
object-group service NAT_ACL
service-object object TCP_2010
service-object object TCP_2020
service-object tcp destination eq https
service-object tcp destination eq 81
access-list Outside2_access_in extended permit object-group NAT_ACL any4 object cisco log
access-group Outside2_access_in in interface Outside2
nat (Outside2,DMZ) source static any any destination static cisco cisco service TCP_80 TCP_81
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: