Re: ASA - NAT based on destination port

gizbri · ‎10-15-2018

Hello all-

Need to setup a NAT based on destination port

ASA 9.6.4

Source 202.1.1.18 routing to 202.1.1.17 on inteface vlan419int

if destination port is 12154 need 202.1.1.17 to NAT TO inside interface host 192.168.1.10

if destination ports are 12146-12153 need 202.1.1.17 to NAT to asa-link interface host 172.16.210.10

Attached is a diagram

Seems straightforward but I cant seen to get this working.

Thanks!

Cassio Oliveira · ‎10-15-2018

Try it:

# Create the port objects as type source. I like to add the suffix 'src' so I know it's a source type port object

object service 12154-src

service tcp source eq 12154

object service 12146-to-12153-src

service tcp source range 12146 12153

# Create the network objects

object network 192.168.1.10

host 192.168.1.10

object network 172.16.210.10

host 172.16.210.10

# Manually create the NAT rules. It's better than Auto NAT when using range objects

nat (inside,vlan419int) source static 192.168.1.10 interface service 12154-src 12154-src

nat (asa-link,vlan419int) source static 172.16.210.10 interface service 12146-to-12153-src 12146-to-12153-src

Then you must create the proper ACLs to permit traffic to these ports on these hosts from 202.1.1.18 .

Do not use the above service objects in the ACLs. There you should put destination type service objects:

object service 12154

service tcp destination eq 12154

object service 12146-to-12153

service tcp destination range 12146 12153

gizbri · ‎10-16-2018

Cassio - thanks for the response. I guess maybe I wasn't clear - the 202.1.1.17 is the host 202.1.1.18 routes to, not the interface IP.