03-20-2024 06:49 AM
Hi Community,
We have Source NAT configured on one of our Cisco ASA with given details. Can I achieve static mapping of source & destination port for this? Is it feasible in Cisco ASA?
Private Original IP - 192.168.1.1
Destination IPs - 1.1.1.1 & 2.2.2.2
Traffic from 192.168.1.1 towards 1.1.1.1 & 2.2.2.2 (all services) would get source NATted to 192.168.2.2.
Is it possible to configure static mapping of source ports coming from 1.1.1.1/2.2.2.2 towards destination port of 192.168.1.1.
Solved! Go to Solution.
03-21-2024 06:47 AM
The above NAT config does not do anything with the ports, it just translates the TP-SBC-DMZ-IP to TCL-SBC-NAT-IP when the traffic is going to/coming from TLC-SIP-PUB-IP over the interfaces SBC-DMZ and OUTSIDE-TCL.
03-20-2024 07:07 AM
Example:-
object network REAL-SRC
host 192.168.1.1
object network TRANSLATED-SRC
host 192.168.2.2
object network REAL-DST-1
host 1.1.1.1
object network REAL-DST-2
host 2.2.2.2
nat (INSIDE,OUTSIDE) source static REAL-SRC TRANSLATED-SRC destination static REAL-DST-1 REAL-DST-1
nat (INSIDE,OUTSIDE) source static REAL-SRC TRANSLATED-SRC destination static REAL-DST-2 REAL-DST-2
Just replace the interface names (if required).
03-20-2024 11:27 PM
Hi Rob,
This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?
nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP
object network TP-SBC-DMZ-IP
host 192.168.1.1
object network TCL-SBC-NAT-IP
host 192.168.2.2
object network TCL-SIP-PUB-IP
host 1.1.1.1
03-20-2024 07:07 AM - edited 03-20-2024 07:52 AM
Sure why not
You can include port in your NAT command.
MHM
03-20-2024 07:53 AM
I Now can run lab
what is
real source IP
mapped source IP
real dest IP
mapped dest IP
real dest port
mapped dest port
MHM
03-20-2024 11:28 PM
Hi MHM,
This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?
nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP
object network TP-SBC-DMZ-IP
host 192.168.1.1
object network TCL-SBC-NAT-IP
host 192.168.2.2
object network TCL-SIP-PUB-IP
host 1.1.1.1
03-21-2024 07:26 AM
the IP I think you get how you can NAT it static or dynamic
for port in service object you can specify if Port is source or destination then you can add service objects to NAT.
MHM
03-20-2024 08:48 AM
Why would you want to change the source ports of the traffic coming from 1.1.1.1 and 2.2.2.2? usually we might change the destination ports of the traffic going to the public resource. For example, if you want to change the destination port to something else you can do something similar to this:
object network PUBLIC-1-SERVER
host 1.1.1.1
object network PUBLIC-2-SERVER
host 2.2.2.2
object network PRIVATE-1-SERVER
host 192.168.1.1
object network PRIVATE-2-SERVER
host 192.168.2.2
object service TCP-80
service tcp source eq 80
object service TCP-8081
service tcp source eq 8081
object service TCP-8081
service tcp source eq 8082
nat (inside,outside) source static PRIVATE-1-SERVER PRIVATE-2-SERVER static PUBLIC-1-SERVER PUBLIC-1-SERVER service TCP-80 TCP-8081
nat (inside,outside) source static PRIVATE-1-SERVER PRIVATE-2-SERVER static PUBLIC-2-SERVER PUBLIC-2-SERVER service TCP-80 TCP-8082
I don't believe the ASA would complain about using TCP-80 service on both NAT rules, but please give it a try and see if it works.
What those rules do they would redirect the traffic destined to port 80 to port 8081 when the traffic is coming from 1.1.1.1 and they would change the port to 8082 when the traffic is coming from 2.2.2.2.
03-20-2024 11:27 PM
Hi Aref,
This is my current NAT, I just wanted to know if this NAT would translate the incoming source port(tcp/5060) coming from my service provider to any dynamic source port?
nat (SBC-DMZ,OUTSIDE-TCL) source static TP-SBC-DMZ-IP TCL-SBC-NAT-IP destination static TCL-SIP-PUB-IP TCL-SIP-PUB-IP
object network TP-SBC-DMZ-IP
host 192.168.1.1
object network TCL-SBC-NAT-IP
host 192.168.2.2
object network TCL-SIP-PUB-IP
host 1.1.1.1
03-21-2024 06:47 AM
The above NAT config does not do anything with the ports, it just translates the TP-SBC-DMZ-IP to TCL-SBC-NAT-IP when the traffic is going to/coming from TLC-SIP-PUB-IP over the interfaces SBC-DMZ and OUTSIDE-TCL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide