Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2031
Views
0
Helpful
3
Replies

port-forwarding using manual nat (not auto-nat) not working

Go to solution
abcdrohan
Level 1
Level 1

‎05-28-2013 01:16 PM - edited ‎03-11-2019 06:50 PM

Hi

I am running 8.6(1)2 on my ASA

It's a lab environment and I am trying to figure out how to do port-forwarding using manual nat


For e.g. I tried following but none of them work (Only one of the following was activated on the FW at a time)

   nat (outside,inside) source static any any destination static h-3.3.3.3 local_ip service tcp-www tcp-8080

   nat (outside,inside) source static  h-3.3.3.3 6.3.3.6  service tcp-www tcp-8080

  nat (inside,outside) source static local_ip h-3.3.3.3 destination static any any service 8080 80

Have anyone one of you been able to do port forwarding using manual nat on post 8.2?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to abcdrohan

‎05-28-2013 02:03 PM

Hi,

I would still not configure in such a way.

I tend to avoid using the "any" keyword in the NAT configurations unless its used to define source addresses for the default Dynamic PAT rule.

You seem to have flipped the NAT rules the other way around also.

You are using the "outside" as the source and "inside" as the destination.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-28-2013 01:38 PM

Hi,

A very basic Static PAT / Port Forward on the new software could be something like this (though I personally use Network Object NAT for this)

object network HOST-REAL

host 10.10.10.10

object network HOST-MAPPED

host 1.1.1.1

object service RDP

service tcp source eq 3389

nat (inside,outside) source static HOST-REAL HOST-MAPPED service RDP RDP

access-list OUTSIDE-IN permit any object HOST-REAL eq 3389

access-group OUTSIDE-IN in interface outside

That should pretty much be it.

Naturally there is always a change that some existing other NAT configuration overrides this NAT configuration and traffic will therefore never get matched against this Static PAT configuration

Naturally you can confirm which NAT rule is hit with the "packet-tracer" command.

For example considering my above Static PAT configuration I could try this

packet-tracer input outside tcp 1.2.3.4 12345 1.1.1.1 3389

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. Or ask more

Also I made a NAT 8.3+ document earlier here on the forums if you want to take a look. Though at the moment it only gives examples of some very basic NAT setups

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

0 Helpful

Go to solution
abcdrohan
Level 1
Level 1
In response to Jouni Forss

‎05-28-2013 01:59 PM

I actually figured it out

What I was doing was that I had created tcp-8080 with

service tcp source eq 8080

while the predifned tcp-www is of type

service tcp destination eq www

I had to change

tcp-8080 to

service tcp destination eq 8080 and got it working using

nat (outside,inside) source static any any destination static 6.3.3.6 local_ip service tcp-8080 tcp-www

Thanks!


0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to abcdrohan

‎05-28-2013 02:03 PM

Hi,

I would still not configure in such a way.

I tend to avoid using the "any" keyword in the NAT configurations unless its used to define source addresses for the default Dynamic PAT rule.

You seem to have flipped the NAT rules the other way around also.

You are using the "outside" as the source and "inside" as the destination.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card