06-09-2010 03:24 AM - edited 03-11-2019 10:56 AM
Hi,
Is it possible to do nat on firewall with nat on udp ports. if there are certain servers running service on udp port , will external access work if
we configure nat for udp access.
Thanks!
Solved! Go to Solution.
06-14-2010 08:03 PM
Yes.
As you mentioned since TCP is stateful, the ASA can track the connection state and control the traffic in this way.
For UDP since it is stateless, the ASA uses short-timers to track the UDP connections.
If in a short period, there's a reply with the same source IP, source port, destination IP and destination port as the originated connection, the ASA will allow the connection through.
Federico.
06-09-2010 04:04 AM
Yes certainly.
example:
static (inside,outside) udp interface tftp 192.168.2.2 tftp netmask 255.255.255.255
static (inside,dmz) udp interface 165 192.168.2.2 snmp netmask 255.255.255.255
static (inside,outside) udp interface syslog 192.168.2.2 syslog netmask 255.255.255.255
-KS
06-12-2010 09:21 PM
Thanks for the reply. If am not wrong, this would also mean , putting a rule on outside interface for the traffic to be allowed from external sources to hit these internal ones on required udp ports?
Also, since the query is on udp ports , i believe sometimes we might need to allow the rule bidirectionally on the firewall for the connection to be successful.
Please correct me if am wrong , appreciate all your assistance!
06-14-2010 02:43 PM
If the connection is initiated from the outside always you only need to allow the udp port on the outside ACL. The firewall will open up the return path for
the UDP connection (same ips and ports).
I hope it helps.
PK
06-14-2010 07:42 PM
Ok, but since udp is sort of stateless as compared to tcp. Would firewall still allow it through with the state table.
Thanks!
06-14-2010 08:03 PM
Yes.
As you mentioned since TCP is stateful, the ASA can track the connection state and control the traffic in this way.
For UDP since it is stateless, the ASA uses short-timers to track the UDP connections.
If in a short period, there's a reply with the same source IP, source port, destination IP and destination port as the originated connection, the ASA will allow the connection through.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide