Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
0
Helpful
1
Replies

Source Port for PAT NATs? - ASA 5520

Mohamed Hamid
Level 1
Level 1

‎11-23-2012 06:17 AM - edited ‎03-11-2019 05:27 PM

Hi Guys

This is probably a simple question with a simple answer

I have servers in my private network that need to communicate with servers in my DMZ on port 1080.

I have created a static NAT rule and then edited the rule as part of a lockdown so that the source IP and the Translated port is both 1080.

However when settin this up and checking ASA logs I am seeing that it is complaining of No translation group found for and that the source port is a random number.

This males sense as the incoming source is bound to be a random nubmer but it is the destination that is important. However in the ASA (using ASDM) I am unable to specific port ranges or 'any' port.

What is the best action to take in this case?

Your help us much appreciated.

Kind Regards

Mohamed     

Labels:
0 Helpful
1 Reply 1

Peter Koltl
Level 7
Level 7

‎11-25-2012 12:49 PM

You need a service object which has both source and destination ports. Source could be range 0-65535.

But NAT rules are not the right place to add port conditions. Just add a NAT rule covering all ports. Access lists should filter the traffic by port.

Anyway, the best practice is adding an identity NAT / no NAT rule for all private (RFC1918) address ranges globally.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card