Policy based destination PAT

Brian I · ‎10-15-2015

Hi

It has been a couple of years since I last had my hands on the ASA firewall - but a question popped up the other day, which I could not answer..

Is it possible to do policy based destination PAT from the outside to inside interfaces - based on source IP address ?

The outside (static) IP is assigned by DHCP (only a single address is available) - and if traffic is initiated towards the outside IP from source address A towards tcp port 443, it should be redirected/PAT'ed to DMZ1 port 5630 - and for all other source IP addresses it should be redirected/PAT'ed to DMZ2 port 443.

Is this possible at all? Firmware version is 9.2 ..

Regardes

Brian

Rishabh Seth · ‎10-18-2015

Hi Brian,

You can create manual NAT rules to implement your network requirement.

Create the NAT for specific ports above the rules for broad range of ports.

object service 5630
service tcp destination eq 5630
object service 443
service tcp source eq https

nat (DMZ1,outside) source static <real-ip> <mapped-ip> service 5630 443
nat (DMZ2,outside) source static <real-ip> <mapped-ip>

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

Brian I · ‎10-18-2015

Hi

This maps port 443 -> 443 and 5630 -> 5630

What I want to achieve is (if possible):

If traffic originates from IP address A and hits the outside interface on TCP port 443, it should be PAT'ed to a host in DMZ1 port 5630

For all other traffic that hits the outside interface on TCP port 443, it should be PAT'ed to a host in DMZ2 port 443 ..

Regards

/Brian

Rishabh Seth · ‎10-18-2015

Hi,

To NAT traffic for a specific source IP, you can make following changes,

nat (DMZ1,outside) source static <real-ip> <mapped-ip> service 5630 443 destination static <sourceip> source ip>
nat (DMZ2,outside) source static <real-ip> <mapped-ip>

Thanks,

R.seth