cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
5
Helpful
6
Replies

ASA5550 NAT/PAT on destination

robj
Level 1
Level 1

I have a requirement to NAT the destination address and destination protocol port on the ASA5550. The ASA appears to only NAT inside address to the outside. Is there a way to NAT/PAT the destination address??

1 Accepted Solution

Accepted Solutions

Hi Rob,

Please tell us what exactly you want to achieve and when the translation to occur. Alias command is used for detination NAT purposes but I want to make sure that you realy need it before giving an example

Regards

View solution in original post

6 Replies 6

Hi Rob,

Please tell us what exactly you want to achieve and when the translation to occur. Alias command is used for detination NAT purposes but I want to make sure that you realy need it before giving an example

Regards

We have a requirement to manipulate incoming tcp packets from an external source. Information is provided by multiple clients on a wide range of source addresses with the only commonality being the destination address. This involves NAT/PAT based on destination addresses not source addresses. Incoming packets with destination 10.1.1.1:50003 need to be modified to destination 10.30.36.101:5091 while incoming packets with destination 10.1.1.2:50003 need to be modified to destination 10.30.36.101:5090.

I think we can accomplish this if using Cisco IOS router software with the "ip nat inside source static tcp 10.30.36.101 5091 10.1.1.1 50003" command which while applying the source NAT/PAT translation on the inside, applies the reverse destination NAT/PAT on the outside. However, I'm not too familiar with the ASA product range and don't know if there is a corresponding way to apply this to the security appliance rather than a router device. Initial investigations appear to apply NAT/PAT translations on the ASA are based on source address only but don't appear to carry the reverse resolver that a Router NAT/PAT automatically applies.

Hi,

static NAT should work for you .. i.e

static (inside,outside) tcp 10.1.1.1 50003 10.30.36.101 5091 netmask 255.255.255.255

The above will translate any INBOUND packet originated from the outside which has destination 10.1.1.1 port 50003 to destination 10.30.36.101 port 5091. You also need to allow access on that port on the access list applied to the outside interface i.e

access-list Outside-Inside permit tcp any host 10.1.1.1 eq 50003

access-group Outside-Inside in interface outside

I hope it helps .. please rate helpful posts

Fernando,

That's done the trick!

The CLI command accomplished what the ADSM GUI could not.

Thank you.

i feel you also do it this way

access-list AB permit tcp any host 10.1.1.1 eq 50003

nat (internal)1 interface

nat (management)1 access-list AB outside

Hi, it is something like prot forwarding based on the destination and source address, the very first things you have to define two static statements on the firewall static(outside,inside), this is actually called reverse nat based on destination address, and then finally open the ports with respect to ip address requirement, i hope this works.

Review Cisco Networking for a $25 gift card