Solved: Re: Can Source NAT maps static source to destination port in Cisco ASA

ManadarDesai2895 · ‎03-20-2024

Hi Community,

We have Source NAT configured on one of our Cisco ASA with given details. Can I achieve static mapping of source & destination port for this? Is it feasible in Cisco ASA?

Private Original IP - 192.168.1.1

Destination IPs - 1.1.1.1 & 2.2.2.2

Traffic from 192.168.1.1 towards 1.1.1.1 & 2.2.2.2 (all services) would get source NATted to 192.168.2.2.

Is it possible to configure static mapping of source ports coming from 1.1.1.1/2.2.2.2 towards destination port of 192.168.1.1.

Aref Alsouqi · ‎03-21-2024

The above NAT config does not do anything with the ports, it just translates the TP-SBC-DMZ-IP to TCL-SBC-NAT-IP when the traffic is going to/coming from TLC-SIP-PUB-IP over the interfaces SBC-DMZ and OUTSIDE-TCL.

View solution in original post

Rob Ingram · ‎03-20-2024

@ManadarDesai2895

Example:-

object network REAL-SRC
host 192.168.1.1
object network TRANSLATED-SRC
host 192.168.2.2
object network REAL-DST-1
host 1.1.1.1
object network REAL-DST-2
host 2.2.2.2

nat (INSIDE,OUTSIDE) source static REAL-SRC TRANSLATED-SRC destination static REAL-DST-1 REAL-DST-1
nat (INSIDE,OUTSIDE) source static REAL-SRC TRANSLATED-SRC destination static REAL-DST-2 REAL-DST-2

Just replace the interface names (if required).

ManadarDesai2895 · ‎03-20-2024

Hi Rob,

This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?

nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP

object network TP-SBC-DMZ-IP
host 192.168.1.1

object network TCL-SBC-NAT-IP
host 192.168.2.2

object network TCL-SIP-PUB-IP
host 1.1.1.1

MHM Cisco World · ‎03-20-2024

Sure why not

You can include port in your NAT command.

MHM

MHM Cisco World · ‎03-20-2024

I Now can run lab
what is
real source IP
mapped source IP
real dest IP
mapped dest IP
real dest port
mapped dest port

MHM

ManadarDesai2895 · ‎03-20-2024

Hi MHM,

This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?

nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP

object network TP-SBC-DMZ-IP
host 192.168.1.1

object network TCL-SBC-NAT-IP
host 192.168.2.2

object network TCL-SIP-PUB-IP
host 1.1.1.1

MHM Cisco World · ‎03-21-2024

the IP I think you get how you can NAT it static or dynamic
for port in service object you can specify if Port is source or destination then you can add service objects to NAT.

MHM

Aref Alsouqi · ‎03-20-2024

Why would you want to change the source ports of the traffic coming from 1.1.1.1 and 2.2.2.2? usually we might change the destination ports of the traffic going to the public resource. For example, if you want to change the destination port to something else you can do something similar to this:

object network PUBLIC-1-SERVER
host 1.1.1.1
object network PUBLIC-2-SERVER
host 2.2.2.2
object network PRIVATE-1-SERVER
host 192.168.1.1
object network PRIVATE-2-SERVER
host 192.168.2.2

object service TCP-80
service tcp source eq 80
object service TCP-8081
service tcp source eq 8081
object service TCP-8081
service tcp source eq 8082

nat (inside,outside) source static PRIVATE-1-SERVER PRIVATE-2-SERVER static PUBLIC-1-SERVER PUBLIC-1-SERVER service TCP-80 TCP-8081
nat (inside,outside) source static PRIVATE-1-SERVER PRIVATE-2-SERVER static PUBLIC-2-SERVER PUBLIC-2-SERVER service TCP-80 TCP-8082

I don't believe the ASA would complain about using TCP-80 service on both NAT rules, but please give it a try and see if it works.

What those rules do they would redirect the traffic destined to port 80 to port 8081 when the traffic is coming from 1.1.1.1 and they would change the port to 8082 when the traffic is coming from 2.2.2.2.

ManadarDesai2895 · ‎03-20-2024

Hi Aref,

This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?

nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP

object network TP-SBC-DMZ-IP
host 192.168.1.1

object network TCL-SBC-NAT-IP
host 192.168.2.2

object network TCL-SIP-PUB-IP
host 1.1.1.1

Aref Alsouqi · ‎03-21-2024

The above NAT config does not do anything with the ports, it just translates the TP-SBC-DMZ-IP to TCL-SBC-NAT-IP when the traffic is going to/coming from TLC-SIP-PUB-IP over the interfaces SBC-DMZ and OUTSIDE-TCL.