08-04-2009 07:40 AM - edited 03-11-2019 09:02 AM
Am I correct in thinking that Port Redirection should only be used when the return traffic (from the inside server sending back out to the internet) will be sent back on the IP address it was recieved on. So for instance traffic is sent to 1.1.1.1 it is recieved by the firewall and sends telnet traffic to one server and FTP to another but when either server respond to the internet traffic they PAT to 1.1.1.1. Therefore it would not be valid configuration to have traffic port redirected to a server that already has a NAT on the firewall as the traffic will be sent back out using the NAT address and could be blocked by the senders firewall as it will be seen to come from a different IP address than what it was sent to?
Thanks in advance!
08-04-2009 07:57 AM
static PAT takes precedence over nat overloading. so your servers should respond from the same IP/port as is in the static PAT statement.
if traffic is originated from a server (eg general internet traffic like www), then NAt overloading applies, not static PAT.
if you have static pat configured for ftp, for instance, incoming ftp will work just fine, and the server will respond using the static pat address/port combination.
08-04-2009 08:41 AM
okay, so if a connection is port redirected the return traffic will also go out on that port correct?..
Therefore hypothetically if it returned it on the NAT'd address this would cause issues correct?
08-04-2009 08:49 AM
does static NAT take precedence over static PAT?
08-04-2009 06:45 PM
you can't even configure both simultaneously.
asa(config)# static (inside,outside) 1.1.1.1 10.0.0.102
asa(config)# static (inside,outside) tcp 1.1.1.2 3389 10.0.0.102 3389
ERROR: duplicate of existing static
inside:10.0.0.102 to outside:1.1.1.1 netmask 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide