Hello there,

I don't know if this command works or not. Haven't tried it.

nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456

I used to do manual NAT this way:

object network obj-172.16.32.45

host 172.16.32.45

bject network PUBLIC-IP
host 201.202.203.204

object network IP-POOL
host 205.206.207.208

object service SOURCE-TCP-3456
service tcp source eq 3456

object service DESTINATION-TCP-7890
service tcp destination eq 7890

and the command would be: 

nat(inside,outside) source static  obj-172.16.32.45 IP-POOL service SOURCE-TCP-3456 DESTINATION-TCP-7890

I believe port 3456 should be source, isn't it?

This is manual NAT.

How can the same thing be achieved using auto NAT?

If possible, please clearify this command line :

nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456

Hello,

I never use auto-nat myself but this should be the correct NAT rule:

object network obj-172.16.32.45
 nat (INSIDE,OUTSIDE) static IP-POOL service tcp 3456 7890

Regarding manual-nat you have the wrong idea about source and destination.

You have to think of it in nat rule direction - and keep in mind its always both ways unless specefied not to be.

Example:

nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456

Could have been writen as:

nat (INSIDE,OUTSIDE) source static IP-POOL PUBLIC-IP service SOURCE-TCP-3456 SOURCE-TCP-7890 destination any any 

I hope i´m not confusing you.

//Cristian

Hi Cristain, 

Finally, i guess, i am trying to get the real meaning.

Let me ellaborate what i understood.

My WLC opens at port 80. I want the request on 80 to be opened at 8080 when someone accesses it from outside. 

So in  manual NAT:

In this case, from what i got from your help, when going to internet ie, inside to outside, my source port is 80 and destination port is still 80.

But if someone tries to get in my WLC from remote side, ie, outside to inside, then for them 8080 becomes source and 80 becomes destination.

Am i right?

Hello again,

You are correct.

But to help you a bit more, think of the NAT (depending on direction nat rule is) from the source perspective.

INSIDE > OUTSIDE, inside host perspective (deal with SOURCE IP/ports)

OUTSIDE > INSIDE, outside host perspective (deal with DESTINATION IP/ports)

A quote from course leader regarding manual/twice-NAT-thinking:

"REAL-NAT-NAT-REAL". This has helped me many times when i started with NAT.

And i my opinion, manual NAT is much easier to read and get a quick view of.

//Cristian

Hi Christian,
Thank you for your help so far.
Still not clear regarding some issues.
Today i was asked to do the port forwarding in IP 192.168.10.100:3389 to be opened as 201.202.203.204:2234 for RDP.
As i am used to auto NAT,i did this:
object network obj-192.168.10.100
host 192.168.10.100
nat (private,public) static interface service tcp 3389 3334
Then i had this access list:
access-list access-list-name extended permit tcp any host 11192.168.10.100 eq 3389 and it was fine. The port was
opened and everything worked.
Later, i decided to do this using manual NAT, using your help.
As per your command line,
nat (INSIDE,OUTSIDE) source static IP-POOL PUBLIC-IP service SOURCE-TCP-3456 SOURCE-TCP-7890 destination any any

i modified this way:
nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any
and i had this issues:
1. the command after destination any any didn't work
2. i removed command after destination any any then there was this error that obj-201.202.203.204 overlaps with public IP.

So i used the second command :
nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456
and modified as:
nat (OUTSIDE,INSIDE) source static any any destination static obj-192.168.10.100 obj-201.202.203.204 service DESTINATION-TCP-2234 DESTINATION-TCP-3389

then the command was accepted but the port failed to open.
I tried using the packet tracer command and it indicated the port failed to open because flow was denied by the configured rule.
But there was already this command:
access-list access-list-name extended permit tcp any host 11192.168.10.100 eq 3389

What could be the reason for that. 

Is it because i am using version 9.2?

Please help.

Hello,

You forgot destination STATIC any any, that is why command was rejected.

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any 

This is reversed as you NAT in direction private to public.

nat (private,public) source static any any destination static obj-192.168.10.100 obj-201.202.203.204 service DESTINATION-TCP-2234 DESTINATION-TCP-3389

Try this

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234

Dont forget to create the service objects accordingly.

//Cristian

Hello Christian,

Thank you for your help. But there are some issues still not solved.

According to your command:

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234

I get this error:

ERROR: any doesn't match an existing object or object-group

similarly, using the first command:

nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any 

I get this error:

ERROR: Address 201.202.203.204 overlaps with Public-IP interface address.
ERROR: NAT Policy is not downloaded.

Actually things are working fine using Auto NAT, but as you suggested Manual NAT is better that Auto NAT, i am trying to learn that one. If you are not irritated, then please help me.

Hello,

No worries :). Manual NAT is not by nature better in any way, i just find it "cleaner" to read.

So lets see, ERROR: any doesn't match an existing object or object-group.

One or more objects doesn't exist, check that you have all objects created.

ERROR: Address 201.202.203.204 overlaps with Public-IP interface address.
ERROR: NAT Policy is not downloaded.

Is this the same IP that is assigned to your outside/public interface?

If so, use the interface command instead.

nat (private,public) source static obj-192.168.10.100 interface service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any 

This should NAT:

Host 192.168.10.100 tcp 3389 to public interface IP tcp 2234.

Or maybe clearer (remember they are always bi-directional unless specified not to):

When any outside host access public interface IP at tcp 2234 NAT to private host 192.168.10.100 tcp 3389

//Cristian

Hi Christian,

This command worked without destination any any.

Can you let me know why the destination any any wasn't included?

As you said, "remember they are always bi-directional unless specified not to"

How can i make it unidirectional.

What happens when it is unidirectional?

nat (private,public) source static obj-192.168.10.100 interface service SOURCE-TCP-3389 SOURCE-TCP-2234 

Christian,

Noted. Thanks a lot.

This command doesn't need any any 

nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234

If we use any any then there will be this error:

ERROR: any doesn't match an existing object or object-group

we can simply use:

nat (private,public) source static obj-192.168.10.100 interface  service SOURCE-TCP-3389 SOURCE-TCP-2234

This helped me and solved my issue too. So thanks a lot.I am marking your recent answer as correct answer.

Hello,

Happy to help.

//Cristian