Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
2
Replies

ASA NAT with port translation

raymand.hau
Level 1
Level 1

‎08-20-2018 07:43 PM - edited ‎02-21-2020 08:07 AM

Hi all, I have tried to created a NAT that any ip address from outside2 with port number 80 translate to DMZ 10.0.0.1:81. This is a part of my configuration. I would like to know the behaviour of NAT with port translation. If a ip address x.x.x.x:443 come from outside 2 then it will not translate to 10.0.0.1:81 and drop the traffic, right? Thanks

 

object network cisco 
host 10.0.0.1

 

nat (Outside2,DMZ) source static any any destination static cisco cisco service TCP_80 TCP_81

0 Helpful
2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

‎08-20-2018 09:37 PM

a port forward/NAT needs to be accompanied with an access list, so if you port forward tcp/80  the your acl will need to allow port 80 to the real IP address,  if that does not include port 443, then yes it will get dropped.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

raymand.hau
Level 1
Level 1
In response to Dennis Mink

‎08-23-2018 02:20 AM

Thank you for your reply. I would like to explain further of my problem. I did apply a acl but there had an unexpected situation.  I want any IP address from outside2 with prot80 translated to 10.0.0.1:81 only. But for my NAT setting, IP address with any port number (443, 22, 23....) will translate to port 81 too. Here is my NAT configuration.

 

object network cisco
host 10.0.0.1

 

object service TCP_81
service tcp destination eq 81

object service TCP_80
service tcp destination eq 80

 

object service TCP_2010
service tcp destination eq 2010


object service TCP_2020
service tcp destination eq 2020


object-group service NAT_ACL
service-object object TCP_2010
service-object object TCP_2020
service-object tcp destination eq https
service-object tcp destination eq 81

 

access-list Outside2_access_in extended permit object-group NAT_ACL any4 object cisco log

access-group Outside2_access_in in interface Outside2

 

nat (Outside2,DMZ) source static any any destination static cisco cisco service TCP_80 TCP_81

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card