Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2438
Views
0
Helpful
2
Replies

asa nat destination port rewrite

daniel f.
Level 1
Level 1

‎02-04-2021 03:29 AM

hello together, i have a server where i cant change snmp deamon port and which is not 161. and i have a monitor system where i cant change snmp to ask at another port then 161. in between there is an asa so i thought maybe its a good idea to just rewrite destination port in a nat statement. thats what i have tried so far:

 

 


object-group network monitoring
network-object host 10.0.0.1

object-group network server
network-object host 10.150.1.1

object service snmp
service udp destination eq snmp
object service snmp-server
service udp destination eq 2161

nat (monitor-lan,server-lan) source static monitoring monitoring destination static server server service snmp-server snmp no-proxy-arp route-lookup

 

but packettracer says:

Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

 

also i have tried snmp walk from the monitor system to the server, its not working. and also nothing is workin when this entry is added. i even cant ping the server from another system in the monitor-lan, even it has another ip then 10.0.0.1

 

also i change static to dynamic, disabled routelookup etc. i dont know where the problem is. maybe someone can help me on this

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎02-04-2021 04:52 AM

Hi,

Remove these two no-proxy-arp route-lookup and try. Then post the output
show nat interface monitor-lan details


**** please remember to rate useful posts
0 Helpful

daniel f.
Level 1
Level 1
In response to Mohammed al Baqari

‎02-04-2021 05:24 AM - edited ‎02-04-2021 05:26 AM

hi,

heres the output:

 

asa/pri/act(config)# show nat interface monitor-lan detail
Manual NAT Policies (Section 1)
38 (monitor-lan) to (server) source static monitoring monitoring destination static server server service snmp-server snmp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.0.0.1/32, Translated: 10.0.0.1/32
Destination - Origin: 10.150.1.1/32, Translated: 10.150.1.1/32
Service - Origin: udp destination eq 2161 , Translated: udp destination eq snmp

 

no traffic at all is passing to the server when rule is applied

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card