03-07-2016 05:26 AM - edited 03-12-2019 12:26 AM
I have a very simple port translation setup problem that I'm dealing with on an ASA 5510 using the ASDM. I just want to setup a translation for a port on a public IP address to translate to a private IP and port. The one wrinkle is that I want only traffic on this particular port to translate to this particular private IP/port. All other traffic to that public IP address, I want to translate to a different IP address. So
Traffic pointed to: [Public IP Address] (no port) -> go to Private IP address "A"
Traffic pointed to [Public IP Address] (port 3001) -> go to Private IP address "B" (port 3001)
I used to do this all the time on a Watchguard Firewall with no issues. I'm sure it's possible on the ASA but it is completely confusing me. I already followed the Port Redirection (Forwarding) with Static directions in this link:
To create a new rule. When I run the CLI Analyzer, I get this error:
03-07-2016 05:49 AM
Hi,
You need to allow an access-list on the outside interface for the ports and the private IP.
You need to configure the following NAT on the ASA:
object service obj-tcp-eq-3001
service
object service obj-tcp-3001
service
object network obj_privateaddA
host x.x.x.x
nat (inside,outside) static PUBLIC IP
object network obj-privaddB
host x.x.x.x
nat (inside,outside) static <public ip service> tcp obj-tcp-3001 obj-tcp-eq-3001
You would find this link useful: (Check Regular Static PAT section)
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Let me know if it works.
Regards,
Aditya
Please rate helpful posts.
03-07-2016 06:16 AM
I wonder if it's the order of my rules on the access list? The rule to allow any traffic on the public IP address comes first. It looks like, on my trace, traffic pointed to port 3001 is all going to the Private IP address A rather than B.
Also, when you wrote <pubic ip service> is that something I am supposed to enter verbatim or is that a place-holder for something? I am getting an error on that command.
03-07-2016 08:21 AM
Hi,
My bad.
The correct syntax
object network obj-privaddB
host x.x.x.x
nat (inside,outside) static <public ip > service tcp obj-tcp-3001 obj-tcp-eq-3001
Did you try creating the service objects before creating this
object service obj-tcp-eq-3001
service tcp destination eq 3001
object service obj-tcp-3001
service tcp source eq 3001
Since you are using a different private IP it should go to the correct NAT statement.
Let me know if it helps.
Regards,
Aditya
03-07-2016 07:19 AM
Just FYI, I am getting an invalid input detected on this line:
nat (inside,outside) static <public ip> tcp obj-tcp-3001 obj-tcp-eq-3001
When it gets to "tcp"
I tried changing it to
nat (inside,outside) static <public ip> service tcp obj-tcp-3001 obj-tcp-eq-3001
but now I get an error when it gets to "obj-tcp-3001"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide