Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1552
Views
0
Helpful
3
Replies

Port translation on ASA 8.6

Go to solution
learnsec
Level 1
Level 1

‎08-13-2014 11:57 AM - edited ‎03-11-2019 09:37 PM

hello,

i switched to Asa 8.6 and i am still facing some differences on the creation of nat rules. however a specific case i would like to investigate which is:

i have an IP on the inside which is  I92.168.195.5  that is accessed from a user on the outside.

i translated the inside server IP to be 10.10.195.5.


object network Inside192                        host 192.168.195.5

object network OutsideNAT10                host 10.10.195.5

nat (inside,outside) source static Inside192 OutsideNAT10

 

My question is that i would like to make a kind of port tanslation IN ADDITION to the ip translation i made above. the user request come to port 1010 and i want to translate the port to be 3399. so i created two services for tcpdestination eq1010 and tcp desitination eq 3399

and i made

nat (outside,outside) source static OutsideNAT10 OutsideNAT10 tcp1010 tcp3399

but the user still not able to access the server. simply it didn't work..

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-13-2014 12:13 PM

Hi,

 

Is there a specific reason why you want to configure a Static PAT (Port Forward) in addition to the Static NAT?

 

The Static NAT should be everything you need to reach the internal host with any port (provided you allow the traffic also ofcourse). Though if you specifically want to configure Static PAT (Port Forward) to change the port for the users connection I would configure the Static NAT and Static PAT this way

 

object network STATIC-PAT
 host 192.168.195.5
 nat (inside,outside) static 10.10.195.5 service tcp 3399 1010

 

object network STATIC-NAT
 host 192.168.195.5
 nat (inside,outside) static 10.10.195.5

 

Notice that the above NAT configurations are Auto NAT type configurations while you have used Manual NAT / Twice NAT. I would personally suggest configuring Static NAT and Static PAT this way so you dont have to create multiple "object" just for a simple NAT configuration. In the above configurations the "nat" configuration is located under the "object".

 

I am not sure how the ASA reacts to this situation when we configure Static NAT and Static PAT with the same real and mapped IP addresses. It should typically automatically order the configurations with Auto NAT so that the Static NAT does not override the Static PAT in order. If it does then it might even require you to name the NAT "object" so that the Static PAT objects name is alpabetically before the one of Static NAT.

 

Personally I would stick with using only the Static NAT unless the Port Mapping for the single port is absolutely needed.

 

If you want to check some information on the new NAT format then you can check the 8.3+ NAT document I wrote in 2013

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-13-2014 12:13 PM

Hi,

 

Is there a specific reason why you want to configure a Static PAT (Port Forward) in addition to the Static NAT?

 

The Static NAT should be everything you need to reach the internal host with any port (provided you allow the traffic also ofcourse). Though if you specifically want to configure Static PAT (Port Forward) to change the port for the users connection I would configure the Static NAT and Static PAT this way

 

object network STATIC-PAT
 host 192.168.195.5
 nat (inside,outside) static 10.10.195.5 service tcp 3399 1010

 

object network STATIC-NAT
 host 192.168.195.5
 nat (inside,outside) static 10.10.195.5

 

Notice that the above NAT configurations are Auto NAT type configurations while you have used Manual NAT / Twice NAT. I would personally suggest configuring Static NAT and Static PAT this way so you dont have to create multiple "object" just for a simple NAT configuration. In the above configurations the "nat" configuration is located under the "object".

 

I am not sure how the ASA reacts to this situation when we configure Static NAT and Static PAT with the same real and mapped IP addresses. It should typically automatically order the configurations with Auto NAT so that the Static NAT does not override the Static PAT in order. If it does then it might even require you to name the NAT "object" so that the Static PAT objects name is alpabetically before the one of Static NAT.

 

Personally I would stick with using only the Static NAT unless the Port Mapping for the single port is absolutely needed.

 

If you want to check some information on the new NAT format then you can check the 8.3+ NAT document I wrote in 2013

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Hope this helps :)

 

- Jouni

0 Helpful

Go to solution
learnsec
Level 1
Level 1
In response to Jouni Forss

‎08-13-2014 12:29 PM

thx jouni,

actually my needs are the fllowing:

1- i want static nat for the server in inside

2- when users are accessing the server in the inside on a specific port 1010 i want this port to be modified to 3399 with keeping the same nat of the ip mentioned in point 1.

but keep note that same users when they access the same mentioned server in the inside, only the IP of the server inside will be natted but nothing on the port. the port is specific case for specific port as mentioned above

 

so what u suggested is enough?

 

0 Helpful

Go to solution
Mark Walters
Level 1
Level 1
In response to Jouni Forss

‎05-01-2018 08:58 AM

Note that creating a static PAT and static one-to-one NAT for the same host does not appear to work using this "network object" method, at least on v8.6(1). The one-to-one NAT is always chosen, and the PAT is ignored, regardless of the order in which they appear in the config. I expected this approach to work as well, but no luck.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card