07-21-2016 10:04 PM - edited 03-12-2019 01:03 AM
I have a public IP of 201.202.203.204.
And then,
I have a service running on my server which opens locally on port 3456.
I want this service to be opened from outside
How can
I had asked this type of question
Please help me with the command lines.
Solved! Go to Solution.
08-04-2016 11:42 PM
Hello,
Sorry i totally mixed that line up and also forgot the static command.
nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234
You can apply the unidirectional at the end.
nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234 unidirectional
Now the rule only applies in one direction, i have yet to see a use for this thou (multicast/udp traffic?)
//Cristian
07-28-2016 03:54 AM
Here is something to get you started: (I hope i understood you correctly).
object network PUBLIC-IP
host 201.202.203.204
object network IP-POOL
host 205.206.207.208
object service DESTINATION-TCP-3456
service tcp destination eq 3456
object service DESTINATION-TCP-7890
service tcp destination eq 7890
nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456
Regards,
Cristian
07-29-2016 09:27 PM
Hello there,
I don't know if this command works or not. Haven't tried it.
I used to do manual NAT this way:
object service SOURCE-TCP-3456
nat(inside,outside) source static obj-172.16.32.45 IP-POOL service SOURCE-TCP-3456 DESTINATION-TCP-7890
I believe port 3456 should be
This is manual NAT.
How can the same thing be achieved using auto NAT?
If possible, please
08-01-2016 11:06 PM
Hello,
I never use auto-nat myself but this should be the correct NAT rule:
object network obj-172.16.32.45
nat (INSIDE,OUTSIDE) static IP-POOL service tcp 3456 7890
Regarding manual-nat you have the wrong idea about source and destination.
You have to think of it in nat rule direction - and keep in mind its always both ways unless specefied not to be.
Example:
nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456
Could have been writen as:
nat (INSIDE,OUTSIDE) source static IP-POOL PUBLIC-IP service SOURCE-TCP-3456 SOURCE-TCP-7890 destination any any
I hope i´m not confusing you.
//Cristian
08-02-2016 01:51 AM
Hi
Finally,
Let me
My WLC opens at port 80. I want the request on 80 to be opened
So in manual NAT:
In this case, from what
But if someone tries to get in my WLC from remote side,
Am
08-02-2016 03:01 AM
Hello again,
You are correct.
But to help you a bit more, think of the NAT (depending on direction nat rule is) from the source perspective.
INSIDE > OUTSIDE, inside host perspective (deal with SOURCE IP/ports)
OUTSIDE > INSIDE, outside host perspective (deal with DESTINATION IP/ports)
A quote from course leader regarding manual/twice-NAT-thinking:
"REAL-NAT-NAT-REAL". This has helped me many times when i started with NAT.
And i my opinion, manual NAT is much easier to read and get a quick view of.
//Cristian
08-03-2016 08:09 AM
Hi Christian,
Thank you for your help so far.
Still not clear regarding some issues.
Today
As i am used to auto NAT,i did this:
object network obj-192.168.10.100
nat (private,public) static interface service tcp 3389 3334
Then i had this access list:
Later,
As per your command line,
1.
2.
So
nat (OUTSIDE,INSIDE) source static any any destination static PUBLIC-IP IP-POOL service DESTINATION-TCP-7890 DESTINATION-TCP-3456
I tried using the packet tracer command and it indicated the port failed to open because
But there was already this command:
access-list access-list-name extended permit tcp any host 11192.168.10.100 eq 3389
What could be the reason for that.
Is it because
Please help.
08-03-2016 09:30 AM
Hello,
You forgot destination STATIC any any, that is why command was rejected.
nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any
This is reversed as you NAT in direction private to public.
nat (private,public) source static any any destination static obj-192.168.10.100 obj-201.202.203.204 service DESTINATION-TCP-2234 DESTINATION-TCP-3389
Try this
nat (private,public) source static obj-192.168.10.100 obj-201.202.203.204 destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234
Dont forget to create the service objects accordingly.
//Cristian
08-04-2016 10:54 PM
Hello Christian,
Thank you for your help. But there are some issues still not solved.
According to your command:
nat (private, public) source staticobj -192.168.10.100obj -201.202.203.204 destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234
I get this error:
ERROR: any doesn't match an existing object or object-group
nat (private, public) source staticobj -192.168.10.100obj -201.202.203.204 service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any
I get this error:
ERROR: Address 201.202.203.204
ERROR:
08-04-2016 11:08 PM
Hello,
No worries :). Manual NAT is not by nature better in any way, i just find it "cleaner" to read.
So lets see, ERROR: any doesn't match an existing object or object-group.
ERROR: Address 201.202.203.204 overlaps with Public-IP interface address.
ERROR: NAT Policy is not downloaded.
nat (private,public) source static obj-192.168.10.100 interface service SOURCE-TCP-3389 SOURCE-TCP-2234 destination any any
This should NAT:
Host 192.168.10.100 tcp 3389 to public interface IP tcp 2234.
Or maybe clearer (remember they are always bi-directional unless specified not to):
When any outside host access public interface IP at tcp 2234 NAT to private host 192.168.10.100 tcp 3389
//Cristian
08-04-2016 11:27 PM
Hi Christian,
This command worked without destination any any.
Can you let me know why the destination any any wasn't included?
As you said, "remember they are always bi-directional unless specified not to"
How can i make it unidirectional.
What happens when it is unidirectional?
nat (private, public) source staticobj -192.168.10.100 interface service SOURCE-TCP-3389 SOURCE-TCP-2234
08-04-2016 11:42 PM
Hello,
Sorry i totally mixed that line up and also forgot the static command.
nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234
You can apply the unidirectional at the end.
nat (private,public) source static obj-192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234 unidirectional
Now the rule only applies in one direction, i have yet to see a use for this thou (multicast/udp traffic?)
//Cristian
08-05-2016 12:07 AM
Christian,
Noted. Thanks a lot.
This command doesn't
nat (private, public) source staticobj -192.168.10.100 interface destination static any any service SOURCE-TCP-3389 SOURCE-TCP-2234
If we use any any then there will be this error:
ERROR: any doesn't match an existing object or object-group
This helped me and solved my issue too. So thanks a lot
08-05-2016 12:36 AM
Hello,
Happy to help.
//Cristian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide