Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
726
Views
5
Helpful
3
Replies

inside,inside NAT on ASA matching destination port

Go to solution
VasileT
Level 1
Level 1

ā€Ž07-12-2022 11:55 PM

I have a situation where I need to allow access to a web server and an email server to users on the same subnet.For this I'm using inside inside NAT as follows:

object network lan_1

 subnet 192.168.1.0 255.255.255.0

object network IP-WAN

 host 80.81.82.83

object network server-web

 host 192.168.1.10

object network mail_server

 host 192.168.1.11

.....................................

nat (inside,inside) source static lan_1 interface destination static IP-WAN server-web

nat (inside,inside) source static lan_1 interface destination static IP-WAN mail_server

 

The problem is that with this setup, only the first nat rule is applied because at least in my understanding, the first rule catches all

traffic from lan_1.

 

I think the solution would be to match the outgoing traffic considering the destination port, but I can't find any reference online.

Basically, traffic destined to port 80 and 443 to be forwarded to "server-web" and traffic destined to port 587 to be forwarded to "mail_server".

I'd very much appreciate any help or advice.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
VasileT
Level 1
Level 1

ā€Ž07-14-2022 12:45 AM

Thansk for your reply. What I wanted to achieve is NAT Reflection, but instead of the classic scenario with one server on the same LAN as the clients, I have multiple services running on different IP-s that have to be accessible through the WAN interface.

I finally managed to ta achieve this as follows:

object service TCP80

service tcp destination eq www

object service TCP443

service tcp destination eq https

object service TCP587

service tcp destination eq 587

ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦

nat (Inside,Inside) source dynamic lan_1 interface destination static IP-WAN server-web service TCP80 TCP80

nat (Inside,Inside) source dynamic lan_1 interface destination static IP-WAN server-web service TCP443 TCP443

nat (inside,inside) source dynamic lan_1 interface destination static IP-WAN mail_server service TCP587 TCP587

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

ā€Ž07-13-2022 06:17 AM

from my view this is incorrect, 
the traffic will never hit the Inside interface of the ASA and hence the NAT never play role here, 
you need 
make client ask DNS for IP of Server, 
DNS will send the public IP of Server,
the client will send traffic as it connect subnet outside it subnet, 
ASA receive the traffic do dynamic NAT for client and static NAT for server <change the port>
and hence the traffic flow and inspect by ASA.

0 Helpful

Go to solution
VasileT
Level 1
Level 1

ā€Ž07-14-2022 12:45 AM

Thansk for your reply. What I wanted to achieve is NAT Reflection, but instead of the classic scenario with one server on the same LAN as the clients, I have multiple services running on different IP-s that have to be accessible through the WAN interface.

I finally managed to ta achieve this as follows:

object service TCP80

service tcp destination eq www

object service TCP443

service tcp destination eq https

object service TCP587

service tcp destination eq 587

ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦ā€¦

nat (Inside,Inside) source dynamic lan_1 interface destination static IP-WAN server-web service TCP80 TCP80

nat (Inside,Inside) source dynamic lan_1 interface destination static IP-WAN server-web service TCP443 TCP443

nat (inside,inside) source dynamic lan_1 interface destination static IP-WAN mail_server service TCP587 TCP587

Go to solution
MHM Cisco World
VIP
VIP
In response to VasileT

ā€Ž07-14-2022 03:27 AM

You are welcome freind 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card