Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
3
Replies

ASA 9.2 Dynamic PAT - Change Inside global port

Evgeny Andreev
Level 1
Level 1

‎04-03-2015 02:19 AM - edited ‎03-11-2019 10:43 PM

By default "When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. If the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also turn On Include reserve ports."

 

There is a default scenario of a dynamic PAT translation on ASA:

1.1.1.1:1000 - Inside local

2.2.2.2:2000 - Outside local

3.3.3.3:1000 - Inside global (ASA will choose port 1000 if it is avaliable.)

2.2.2.2:2000 - Outside global

 

In my case, I need to change default behavior and don't use "the real source port number".

1.1.1.1:1000 - Inside local

2.2.2.2:2000 - Outside local

3.3.3.3:XXXX - Inside global (I need any other port not 1000!.)

2.2.2.2:2000 - Outside global

Is it possible?

 

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-03-2015 04:14 AM

Hi,

Yes , please use the flat [ include-reserve ] command in the NAT statement

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html#pgfId-1778544

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Evgeny Andreev
Level 1
Level 1
In response to Vibhor Amrodia

‎04-03-2015 04:53 AM

Hi, Vibhor.
Thanks for your answer.

However, if I correctly understand meaning of "flat [ include-reserve ] command" it will works only if the real port is NOT available. Furthermore, the purpose of "flat [ include-reserve ] command" is expansion of low ranges of mapped ports (1 to 511, 512 to 1023, and 1024 to 65535) to wider range (1 to 65535).
In my case the real port is available, so in this situation "flat" won't solve the problem.

Is my reasoning correct?

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Evgeny Andreev

‎04-03-2015 05:34 AM

Hi,

I agree and this would be the only way to change the choice of source ports. There is no other option available on the ASA device.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card