Solved: ASA static NAT works til I Enable Port Translation

mcmurphytoo · ‎11-09-2009

ASA 8.0(4), ASDM 6.1(3) I'm trying to do ssh from 1 inside host to an outside host. Static NAT translates private IP to public IP, translates response back - all good. But my app won't allow custom port, outside host must have port 20022. So I Enable Port Translation, original port ssh, translated port 20022. ASDM Packet Tracer Tools says it works, shows my IP and port translation. BUT when I run the real thing I get no translation of IP or Port - sniffer outside of ASA shows my inside IP as source IP trying to route across the internet. So my static NAT works with no Port Translation, but quites entirely with Port Translation. What do I have wrong?

Panos Kampanakis · ‎11-09-2009

Do you mean that the outside host is listening on port 20022 instead of 22?

If that is the case then you need to do outside nat. Keep the static (inside,outside) for the inside host translation. If the outsider is listening on 20022 and the insider is trying to use 22 then the 22 destined to the outside needs to be translated to 20022. That would be done by using

static (outside,inside) tcp 22 20022.

I hope it helps.

PK

View solution in original post

Panos Kampanakis · ‎11-09-2009

Do you mean that the outside host is listening on port 20022 instead of 22?

If that is the case then you need to do outside nat. Keep the static (inside,outside) for the inside host translation. If the outsider is listening on 20022 and the insider is trying to use 22 then the 22 destined to the outside needs to be translated to 20022. That would be done by using

static (outside,inside) tcp 22 20022.

I hope it helps.

PK

mcmurphytoo · ‎11-10-2009

exactly what I needed, thanks very much. Now I need to cogitate a while, so I can understand why it's which when getting the job done.