Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
5
Replies

Configuring inbound NAT for an IP protocol

ROBERTO GIANA
Level 4
Level 4

‎05-27-2013 02:07 PM - edited ‎03-11-2019 06:49 PM

Hi

How do we configure an inbound NAT for IP protocol 41 from the outside interface to a DMZ host within ASA v9.1? A 1:1 translation is due to the sparse IPs not an option.

ASA v9.1 refuses to configure a service translation when it's not a TCP nor UDP.

Greetings

Roberto

Labels:
0 Helpful
5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-27-2013 03:37 PM

Hello Roberto,

Looks like you are performing a service or port redirection ( that will not work as the only protocols that have services are TCP/UDP )

You will need to do a mapping one to one, IP-to-IP to make this happen, not using services

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ROBERTO GIANA
Level 4
Level 4
In response to Julio Carvajal

‎05-27-2013 04:36 PM

Hi Julio

C'mon! Every $50 SOHO gear can do that. My $4000 ASA doesn't?

Regards

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ROBERTO GIANA

‎05-27-2013 04:38 PM

Hello Roberto,

I think we are talking about different things,

I mean how are you going to do a port-forwarding about a protocol that does not have any ports........

Do you follow me?? Is not an ASA restriction it's just that PAT requires Ports.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ROBERTO GIANA
Level 4
Level 4
In response to Julio Carvajal

‎05-27-2013 04:50 PM

Hi Julio

I'm completly with you. I don't want to do a "port" translation. All I want ist all incomming IP protocol X traffic to be NATed and forwarded to internal IP X. IP protocol Y traffic to be NATed and forwarded to internal IP Y. All on one public IP on the outside interface. Basicly the same as the PPtP inspection already does for the GRE tunnel data (IP proto 47) or the IPSec inspection for the ESP data (IP proto 50). But instead of doing it dynamicly based on the PPtP or IKE data I want to configure it manually for any given IP protocol number.

Regards

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ROBERTO GIANA

‎05-27-2013 04:55 PM

Hello Roberto,

Yeah man, sorry to inform you that it's just not possible...

You cannot do that, all you can do is a one to one mapping or at least the tcp/udp port-forwarding. As your protocol does not have any port, option one is the only option.

The only thing that I have seen like this is the PPTP inspection starting on 8.3 and you will need to enable the inspection for the protocol so you can dynamically allocate the GRE traffic.This without the need for an IP protocol but for what you are looking for there is config,

Sorry!

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card