Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3124
Views
0
Helpful
6
Replies

Outbound NAT for one Port Only

Go to solution
devereauxj
Level 1
Level 1

‎05-12-2014 01:01 AM - edited ‎03-11-2019 09:11 PM

Hi All,

I have a Cisco ASA 5510 and would like to setup a NAT rule for one server but only for traffic that matches a destination with a specific IP and Port. Is this possible? 

The reason I ask is because I have one application that requires a connection to a VPN tunnel from a specific IP, so if I setup the Outbound NAT, all traffic then matches and gets translated, but this breaks all the other applications we have in place. I just want this one application on one specific port to be translated to the IP and then sent over the VPN connection.

Any help would be greatly appreciated! If you need more information, please let me know.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
guibarati
Level 4
Level 4
In response to devereauxj

‎05-15-2014 06:12 AM

This is the example on Cisco doc to do what you want.

It has an example with a port range and one with a single port. For your situation you should create two "NATs" with single port, one for 333 and one for 4444

 

object-group network og-net-src
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
network-object 209.165.201.0 255.255.255.224
object network obj-209.165.200.225
host 209.165.200.225
object service obj_tcp_range_2001_65535
service tcp destination range 2001 65535
object service obj_tcp_eq_1500
service tcp destination eq 1500
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_range_2001_65535
obj_tcp_range_2001_65535
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_eq_1500 obj_tcp_eq_1500

View solution in original post

0 Helpful
6 Replies 6

Go to solution
guibarati
Level 4
Level 4

‎05-14-2014 10:46 AM

Yes, it is possible.

What software version are you using?

The configuration changes from 8.2 and below to 8.3 and higher.

 

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to guibarati

‎05-14-2014 11:24 AM

8.2 configuration:

 

access-list policy_static_PAT permit tcp host <local_host_ip> eq <port_#> host <remote_server_ip>

static (outside,inside) tcp translated_IP port access-list policy_static_PAT

 

8.3 configuration:

 

 

On 8.3 you need to do it with double NAT:

This is just an example with TCP port:

 

enable

config t

 

object service obj_service_1

tcp source eq <port>

 

object service obj_service_2

tcp source eq <port>

 

If it is going through a tunnel I guess that you are not doing NAT:

 

nat (inside,outside) source static any any destination static obj_translated obj_private service obj_service_1 object_service_2

 

or

 

You can also do it for a specific network with object network

 

Object network local_subnet

 subnet <network_IP> <network_subnet>

 

nat (inside,outside) source static local_subnet local_subnet destination static obj_translated obj_private service obj_service_1 object_service_2

 

FYI: You can also translate the local subnet to something else other than its real network IP.

 

You can do this with PAT using the outside interface:

nat (inside,outside) source dynamic any interface destination static obj_translated obj_private service obj_service object_service

Value our effort and rate the assistance!
0 Helpful

Go to solution
devereauxj
Level 1
Level 1
In response to jumora

‎05-14-2014 11:04 PM

Thank you! We are running 8.4.

Basically what I am trying to achieve is this:

Internal Server (192.168.1.22) creates a session with external server (111.222.111.222) on ports TCP 333 and TCP 444. To access the external server a VPN is established, however the Internal Server must present the source IP as 222.33.222.33 to the external server.

I therefore only want NAT translation to occur on this server when using this application on ports 333 and 4444. Any other applications on that server should not go through NAT translation.

What is the best way to achieve that?

 

0 Helpful

Go to solution
guibarati
Level 4
Level 4
In response to devereauxj

‎05-15-2014 06:12 AM

This is the example on Cisco doc to do what you want.

It has an example with a port range and one with a single port. For your situation you should create two "NATs" with single port, one for 333 and one for 4444

 

object-group network og-net-src
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
network-object 209.165.201.0 255.255.255.224
object network obj-209.165.200.225
host 209.165.200.225
object service obj_tcp_range_2001_65535
service tcp destination range 2001 65535
object service obj_tcp_eq_1500
service tcp destination eq 1500
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_range_2001_65535
obj_tcp_range_2001_65535
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_eq_1500 obj_tcp_eq_1500

0 Helpful

Go to solution
jumora
Level 7
Level 7

‎05-16-2014 10:30 AM

Hello

 

Value our effort and rate the assistance!
0 Helpful

Go to solution
devereauxj
Level 1
Level 1

‎05-19-2014 04:29 PM

This has appeared to resolve our issue. Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card