My aim is to port forward multiple ports on the same IP address:

I want ports 43215, 43216 and 49152 and going forward many other ports to 2.2.2.2 which is then forwarded to 10.0.22.52.

My original config in my first post doesn't work, however if I configure static nat for each port it does work.

object network Public    

host 2.2.2.2

object network Layton43215

host 10.0.22.52

object Layton43215

nat (DMZ,outside) static Public service tcp 43215 43215

object Layton43216

nat (DMZ,outside) static Public service tcp 43216 43216

This means that I have to create a network bject for every port, any other solutions that will be better than this?

Thanks

Hi Hadi,

Could you please try this statement:

object service Feed2

service tcp destination range 43215 43216

object network Public

host 2.2.2.2

object network Layton

host 10.0.22.52

nat (outside,inside) source static any any destination static Public Layton service Feed2 Feed2

access-list outside_access_in extended permit object Feed2 any object Layton

access-group outside_access_in in interface outside

Can you try it and let me know??

Thanks,

Varun

Thanks for your help. I haven't tried you last suggestion yet because I had to get this working. I created static auto nat and it woks like a charm.

However this means I have to create a new network object for every port and this could mean dozen of network object for the same host with different ports.

Looking at the log messages, I see that with the policy nat as in my original post. The traffic  is denied because its destination IP is the NATed address and not the real address. Where as with every other log messages it's the real address as the destination. The access list is configured to allow traffic on those ports to the real address and not the nated address. I have tested this with both and the same result. When I use packet tracer, it first UNNATs and then allows the packet.

I hope the above makes sense. There must be something that I am doing wrong.

Thanks

Hi Hadi,

All your concerns are correct and genuine. With post 8.3, there are many changes in the syntax as well as logic with NAT and ACL. Pre 8.3 you are right, you would open ports for your Natted IP in the ACL but post 8.3, the packet flow has changed a bit, whenever a packet hits the firewall, it would first hit the NAT rule and after translating the natted ip to real ip , then the ACL is hit, and thats y u open ports for the real ip. Now you would be confused what was the need for it, so I'll say, consider a situation where, you have changed the ISP and the new ISP gives you another range of ip's to be used, so before 8.3, you would have to change the ACL and NAT both, but post 8.3 you just need to change the NAT rules and you are done   So it does have adavantages.

Moreover, if you have to add multiple ports, you need not create an object each time, just create an object-group and keep adding ports if you need it for a particular host.

Let me know if you have any more questions for me.

Hope this was helpful.

Thanks,

Varun

Thanks for the calrification, I have read further and your post cleared it up, so thanks. However the original config still doesn't work and I still need to get that solution working where I have a single object with the real IP and one for translated IP, and I will add the ports as necessarry. However this doesn't work and the syslog shows that the ACL is blocking connection to the translated IP and not the real IP. This to my limited knowledge means there is something wrong with NAT. Every other ACL in the syslog shows that the ACL is checking the connection against the real IP address and not the translated.

Thanks