cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1361
Views
0
Helpful
2
Replies

ASA - NAT based on destination port

gizbri
Level 1
Level 1

Hello all-

Need to setup a NAT based on destination port

ASA 9.6.4

 

Source 202.1.1.18 routing to 202.1.1.17 on inteface vlan419int

if destination port is 12154 need 202.1.1.17 to NAT TO inside interface host 192.168.1.10

if destination ports are 12146-12153 need 202.1.1.17 to NAT to asa-link interface host 172.16.210.10

Attached is a diagram

Seems straightforward but I cant seen to get this working. 

Thanks!

Untitled.jpg

 

2 Replies 2

Cassio Oliveira
Level 1
Level 1

Try it:

# Create the port objects as type source. I like to add the suffix 'src' so I know it's a source type port object

object service 12154-src

 service tcp source eq 12154

object service 12146-to-12153-src

 service tcp source range 12146 12153

 

# Create the network objects

object network 192.168.1.10

 host 192.168.1.10

object network 172.16.210.10

 host 172.16.210.10

 

# Manually create the NAT rules. It's better than Auto NAT when using range objects

nat (inside,vlan419int) source static 192.168.1.10 interface service 12154-src 12154-src

nat (asa-link,vlan419int) source static  172.16.210.10 interface service  12146-to-12153-src 12146-to-12153-src

 

Then you must create the proper ACLs to permit traffic to these ports on these hosts from 202.1.1.18 .

Do not use the above service objects in the ACLs. There you should put destination type service objects:

 

object service 12154

 service tcp destination eq 12154

object service 12146-to-12153

 service tcp destination range 12146 12153

Cassio - thanks for the response. I guess maybe I wasn't clear  - the 202.1.1.17 is the host 202.1.1.18 routes to, not the interface IP. 

Review Cisco Networking for a $25 gift card