08-18-2016 12:45 PM - edited 03-12-2019 01:09 AM
Hi All,
Im having an issue creating a TCP and UDP PAT statement on the ASA 9.x code.
Im trying to translate outside TCP/UDP port 20821 to a dmz ip host (bidirectional) however, i only have a single IP address assigned to the outside interface, is that possible?
internet.any------tcp/udp------>asa.outside.int.ip------tcp/udp------->dmz.vm.ip
This is what i have current setup for TCP, how would i write the NAT statement to allow TCP and UDP port 20821?
object network VM
nat (DMZ,outside) static interface service tcp 20821 20821 (this works for tcp only, when i try to add the UDP under the object it just replaces the TCP, it does not keep both)
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
Solved! Go to Solution.
08-22-2016 12:39 AM
Hello,
Try this:
object service SERVER_SOURCE_-TCP-PORT
service tcp source eq 20821
object service SERVER_SOURCE_-UDP-PORT
service udp source eq 20821
object network SERVER_INSIDE
host x.x.x.x y.y.y.y
nat (DMZ,outside) 1 source static SERVER_INSIDE interface service SERVER_SOURCE_-TCP-PORT SERVER_SOURCE_-TCP-PORT
nat (DMZ,outside) 2 source static SERVER_INSIDE interface service SERVER_SOURCE_-UDP-PORT SERVER_SOURCE_-UDP-PORT
//Cristian
08-18-2016 05:47 PM
object service SERVER_SOURCE_PORTS
service tcp source range 20821
service udp source range 20821
object service SERVER_PORTS_XLATE
service tcp source range 20821
service udp source range 20821
object network SERVER_INSIDE
host 1.1.1.1
object network SERVER_OUTSIDE
host 2.2.2.2
nat (DMZ,outside) source static SERVER_INSIDE SERVER_OUTSIDE service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE
08-18-2016 05:47 PM
This is the error i get when using the NAT statement:
(config)# nat (DMZ,outside) source static SERVER_INSIDE SERVER_OUTSIDE service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE
ERROR: Address 174.65.167.204 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
08-18-2016 06:12 PM
no object network SERVER_OUTSIDE
no nat (DMZ,outside) source static SERVER_INSIDE SERVER_OUTSIDE service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE
nat (DMZ,outside) source static SERVER_INSIDE interface service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE
clear xlate
08-18-2016 08:59 PM
we are getting closer, now im getting ERROR: NAT unable to reserve ports.
In addition, my service objects can only hold either TCP or UDP, when i enter tcp it replaced the udp entry, very odd... how do i specify UDP and TCP?
This is currently in there with the nat statement:
nat (DMZ,outside) source static SERVER_INSIDE interface service SERVER_SOURCE_PORTS SERVER_PORTS_XLATE
object service SERVER_SOURCE_PORTS
service tcp source eq 20821
object service SERVER_PORTS_XLATE
service udp source eq 20821
08-19-2016 05:24 AM
object-group service NAME tcp-udp
port-object eq 20821
08-19-2016 02:44 PM
Thanks for all the help Luke, im still running into issues now with the tcp/udp combination, i can get tcp or udp working but cant get both.
When i use the below syntax, i get the following error: "ERROR: SERVER_PORTS is not a valid service object name" it does not like the SERVER_PORTS object group for some reason. Am i missing something in the NAT statement syntax?
object-group service SERVER_PORTS tcp-udp
port-object eq 20821
object-group service SERVER_PORTS_XLATE tcp-udp
port-object eq 20821
nat (DMZ,outside) source static VM interface service SERVER_PORTS SERVER_PORTS_XLATE
ERROR: SERVER_PORTS is not a valid service object name
08-22-2016 12:39 AM
Hello,
Try this:
object service SERVER_SOURCE_-TCP-PORT
service tcp source eq 20821
object service SERVER_SOURCE_-UDP-PORT
service udp source eq 20821
object network SERVER_INSIDE
host x.x.x.x y.y.y.y
nat (DMZ,outside) 1 source static SERVER_INSIDE interface service SERVER_SOURCE_-TCP-PORT SERVER_SOURCE_-TCP-PORT
nat (DMZ,outside) 2 source static SERVER_INSIDE interface service SERVER_SOURCE_-UDP-PORT SERVER_SOURCE_-UDP-PORT
//Cristian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide