cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3363
Views
0
Helpful
3
Replies

ASA nat based on destination port

dan.letkeman
Level 4
Level 4

Hello,

 

I would like to be able to pat a device based on the destination port.  For example:

 

10.10.10.49 (any source any destination) ---- 10.10.10.50 (asa) ----- PAT to ----- 222.222.222.222

 

But also be able to do this:

 

10.10.10.49 (any source, destination port 25) ---- 10.10.10.50 (asa) -----PAT to ----- 223.223.223.223

 

Is this possible to do with ASA version 9.1?

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

 

It is possible with Twice Nat Dan.

 

So  first of all 

10.10.10.49 (any source any destination) ---- 10.10.10.50 (asa) ----- PAT to ----- 222.222.222.222

For that one you could simply do a one to one translation or a PAT which does not makes sense to do a PAT for just a single IP address

10.10.10.49 (any source, destination port 25) ---- 10.10.10.50 (asa) -----PAT to ----- 223.223.223.223

For this one you can do 

object service TCP_SMTP_Destination

service tcp destination eq 25

object network host_10.10.10.49

host 10.10.10.49

object host host_223.223.223.223

 

Then

nat (inside,outside) source dynamic host_10.10.10.49 host_223.223.223.223 destination static any any service TCP_SMTP_Destination TCP_SMTP_Destination

 

Makes sense?

 

Regards

 

 

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

 

It is possible with Twice Nat Dan.

 

So  first of all 

10.10.10.49 (any source any destination) ---- 10.10.10.50 (asa) ----- PAT to ----- 222.222.222.222

For that one you could simply do a one to one translation or a PAT which does not makes sense to do a PAT for just a single IP address

10.10.10.49 (any source, destination port 25) ---- 10.10.10.50 (asa) -----PAT to ----- 223.223.223.223

For this one you can do 

object service TCP_SMTP_Destination

service tcp destination eq 25

object network host_10.10.10.49

host 10.10.10.49

object host host_223.223.223.223

 

Then

nat (inside,outside) source dynamic host_10.10.10.49 host_223.223.223.223 destination static any any service TCP_SMTP_Destination TCP_SMTP_Destination

 

Makes sense?

 

Regards

 

 

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi:

how will it be done if my internal network a /24 (being natted too) needs to reach to a outside destination with regular port 22 but traffic coming back from outside to my internal network (the natted address) which now will communicate to one of internal host but on port 5530 for example. All internal hosts have the same public. the only difference is each internal host has different port number?

 

how will that work? will it be the same scenario like the nat you mention here? just instead of dynamic its static?

 

nat (inside,outside) source dynamic host_10.10.10.49 host_223.223.223.223 destination static any any service TCP_SMTP_Destination TCP_SMTP_Destination

dan.letkeman
Level 4
Level 4

Yes this all makse sense.  I will give it a try.

 

Thanks,

Dan.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: