Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
5
Replies

HOW TO DO ASA Two NATs (one with Port redirection and other without to same source and destination IPs

NetService Smartnet
Level 1
Level 1

‎06-20-2016 01:16 PM - edited ‎03-12-2019 12:55 AM

Hi,

I tried to configured two object nat as below:

Source Y (Internet) to destination Z (DMZ) translate port 443 into 9443 - I need this for a specific solution that only answers requests from Internet on  this port

Source Y (Internet) destination Z (DMZ) any any - I need the NAT without port translation as well  

When i do apply the configuration i does not do the port translation because always goes through the NAT without it

How can i have NAT configured where one of NATs does port translations and the other does NOT for the same IP address ???

Regards

Pedro

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-20-2016 10:37 PM

That configuration makes no sense, and I would not expect it to work.  Basically you are asking to it to both NAT 443 to 9443 and 443 to 443.

You need to look for a different way to resolve your issue.

0 Helpful

NetService Smartnet
Level 1
Level 1
In response to Philip D'Ath

‎06-21-2016 04:14 AM

Hello Philip

Thanks but that is not the case, it goes like this 

I need a NAT from a 200.X.X.X to 10.0.0.X any any to cover for the access List below 

Source port any >= 1024 TCP destination 10.0.0.X on 2776,1720, 15000-19999, 5060

Source por any >= 1024 UDP destination 10.0.0.X on 36000, 36001, 36002-59999

Also need a NET from 200.X.X.X to 10.0.0.X with port translation 443 to 9443 TCP for ACL 

Source port any TCO destination 10.0.0.X on 9443 

How can i do both NATs to work together ?

 

   

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to NetService Smartnet

‎06-21-2016 01:00 PM

We'll have to agree to disagree.  I still looks pretty clearly to me like you are asking the ASA with your configuration to try and NAT the same port to two different ports, and as such I believe it will never work.

I think you need to pursue a new design.

Perhaps someone else might be able to help.

0 Helpful

NetService Smartnet
Level 1
Level 1
In response to Philip D'Ath

‎06-21-2016 01:11 PM

Not saying you are totally wrong because the two NAT as above will do exactly that. Perfectly aware of it.

My question is exactly how to avoid it - Do you understand ?

I need the two NAT - 1st one because i need to NAT without port translation in regards to the access required by the related ACL and the 2nd one because i need port translation for that specific port.since my APP is listening on 9443. 

Now. Do you know how to acomplish this ????

 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to NetService Smartnet

‎06-21-2016 01:13 PM

I think you need to completely separate NAT's.

You could add a second internal IP address to the server, and use that with port 9443, and then NAT a different and separate public IP address to that private IP.

Then you would just leave the existing 1:1 NAT in place.

Or change the application so it doesn't need a port translation ...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card