Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1336
Views
5
Helpful
2
Replies

How to ASA destination port NAT using Twice NAT.

Go to solution
Jae Hoon Choi
Level 1
Level 1

‎10-27-2019 05:19 AM

Hello

I want to do a Destination NAT using the ASA.

 

# Diagram

그림1.png

 

How can I NAT when accessing Telnet from client to router?

 

Original Packet

 Source IP Address : 172.16.100.128

 Source Port : any

 Destination IP Address 172.16.100.135

 Destination Port : TCP 65023

 

NAT Packet

 Source IP Address : 172.16.100.128

 Source Port : any

 Destination IP Address 192.168.1.11

 Destination Port : TCP 23

 

Is there a reason why NAT does not work when I set it as follows?


object network 192.168.1.11
host 192.168.1.11

!
object service TCP65023
service tcp destination eq 65023

!
object service TCP23
service tcp destination eq telnet

!
object network 172.16.100.135
host 172.16.100.135


nat (MGMT,inside) source static any any destination static interface 192.168.1.11 service TCP65023 TCP23


access-group MGMT_access_in in interface MGMT
access-group VPN_access_in in interface VPN
access-group inside_access_in in interface inside
!

 

Thanks

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎10-27-2019 08:11 AM

You configuration looks fine, though you have not provided the actual access-list configuration.  I see just the access-group.

issue a packet tracer to see if the flow is allowed through the ASA.

packet-tracer input MGMT tcp 172.16.100.128 12345 172.16.100.135 65023 detail

If the packet tracer shows successful / allowed do a packet capture on the inside interface to see if there is traffic to and from the router.

capture capin interface inside match ip host 172.16.100.128 host 192.168.1.11

show capture capin

If you see traffic leaving the inside interface but nothing returns, then there is either an issue with the router (perhaps missing return route or telnet being dropped), or there is an issue in the network between the ASA and the router.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎10-27-2019 08:11 AM

You configuration looks fine, though you have not provided the actual access-list configuration.  I see just the access-group.

issue a packet tracer to see if the flow is allowed through the ASA.

packet-tracer input MGMT tcp 172.16.100.128 12345 172.16.100.135 65023 detail

If the packet tracer shows successful / allowed do a packet capture on the inside interface to see if there is traffic to and from the router.

capture capin interface inside match ip host 172.16.100.128 host 192.168.1.11

show capture capin

If you see traffic leaving the inside interface but nothing returns, then there is either an issue with the router (perhaps missing return route or telnet being dropped), or there is an issue in the network between the ASA and the router.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Jae Hoon Choi
Level 1
Level 1
In response to Marius Gunnerud

‎10-27-2019 09:13 AM

Thanks :)

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card