08-13-2014 11:57 AM - edited 03-11-2019 09:37 PM
hello,
i switched to Asa 8.6 and i am still facing some differences on the creation of nat rules. however a specific case i would like to investigate which is:
i have an IP on the inside which is I92.168.195.5 that is accessed from a user on the outside.
i translated the inside server IP to be 10.10.195.5.
object network Inside192 host 192.168.195.5
object network OutsideNAT10 host 10.10.195.5
nat (inside,outside) source static Inside192 OutsideNAT10
My question is that i would like to make a kind of port tanslation IN ADDITION to the ip translation i made above. the user request come to port 1010 and i want to translate the port to be 3399. so i created two services for tcpdestination eq1010 and tcp desitination eq 3399
and i made
nat (outside,outside) source static OutsideNAT10 OutsideNAT10 tcp1010 tcp3399
but the user still not able to access the server. simply it didn't work..
Solved! Go to Solution.
08-13-2014 12:13 PM
Hi,
Is there a specific reason why you want to configure a Static PAT (Port Forward) in addition to the Static NAT?
The Static NAT should be everything you need to reach the internal host with any port (provided you allow the traffic also ofcourse). Though if you specifically want to configure Static PAT (Port Forward) to change the port for the users connection I would configure the Static NAT and Static PAT this way
object network STATIC-PAT
host 192.168.195.5
nat (inside,outside) static 10.10.195.5 service tcp 3399 1010
object network STATIC-NAT
host 192.168.195.5
nat (inside,outside) static 10.10.195.5
Notice that the above NAT configurations are Auto NAT type configurations while you have used Manual NAT / Twice NAT. I would personally suggest configuring Static NAT and Static PAT this way so you dont have to create multiple "object" just for a simple NAT configuration. In the above configurations the "nat" configuration is located under the "object".
I am not sure how the ASA reacts to this situation when we configure Static NAT and Static PAT with the same real and mapped IP addresses. It should typically automatically order the configurations with Auto NAT so that the Static NAT does not override the Static PAT in order. If it does then it might even require you to name the NAT "object" so that the Static PAT objects name is alpabetically before the one of Static NAT.
Personally I would stick with using only the Static NAT unless the Port Mapping for the single port is absolutely needed.
If you want to check some information on the new NAT format then you can check the 8.3+ NAT document I wrote in 2013
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni
08-13-2014 12:13 PM
Hi,
Is there a specific reason why you want to configure a Static PAT (Port Forward) in addition to the Static NAT?
The Static NAT should be everything you need to reach the internal host with any port (provided you allow the traffic also ofcourse). Though if you specifically want to configure Static PAT (Port Forward) to change the port for the users connection I would configure the Static NAT and Static PAT this way
object network STATIC-PAT
host 192.168.195.5
nat (inside,outside) static 10.10.195.5 service tcp 3399 1010
object network STATIC-NAT
host 192.168.195.5
nat (inside,outside) static 10.10.195.5
Notice that the above NAT configurations are Auto NAT type configurations while you have used Manual NAT / Twice NAT. I would personally suggest configuring Static NAT and Static PAT this way so you dont have to create multiple "object" just for a simple NAT configuration. In the above configurations the "nat" configuration is located under the "object".
I am not sure how the ASA reacts to this situation when we configure Static NAT and Static PAT with the same real and mapped IP addresses. It should typically automatically order the configurations with Auto NAT so that the Static NAT does not override the Static PAT in order. If it does then it might even require you to name the NAT "object" so that the Static PAT objects name is alpabetically before the one of Static NAT.
Personally I would stick with using only the Static NAT unless the Port Mapping for the single port is absolutely needed.
If you want to check some information on the new NAT format then you can check the 8.3+ NAT document I wrote in 2013
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni
08-13-2014 12:29 PM
thx jouni,
actually my needs are the fllowing:
1- i want static nat for the server in inside
2- when users are accessing the server in the inside on a specific port 1010 i want this port to be modified to 3399 with keeping the same nat of the ip mentioned in point 1.
but keep note that same users when they access the same mentioned server in the inside, only the IP of the server inside will be natted but nothing on the port. the port is specific case for specific port as mentioned above
so what u suggested is enough?
05-01-2018 08:58 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide