Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2015
Views
5
Helpful
3
Replies

service object "X" is not wildchar.

e.maksyukov
Level 1
Level 1

‎12-14-2015 12:49 AM - edited ‎03-12-2019 12:02 AM

Hello everyone!

I have a question. When I configuring this NAT rule (ASA 5545-X, IOS 9.2(4)):  (masked public IPv4 addresses)

nat (inside,outside) source dynamic kspd-nets_inside granit-out-nat-host destination static granit-out-nets_outside granit-out-nets_outside service tcp23 tcp23

object-group network kspd-nets_inside
 network-object 10.132.0.0 255.254.0.0
 network-object 10.143.96.0 255.255.255.240
 network-object 10.143.96.16 255.255.255.240

object network granit-out-nat-host
 host X.Y.Z.226

object-group network granit-out-nets_outside
 network-object X.Y.Z.0 255.255.255.0
 network-object X.Y.Z.0 255.255.255.0
 network-object X.Y.Z.0 255.255.255.0
 network-object X.Y.Z.0 255.255.255.0
 network-object X.Y.Z.0 255.255.255.0
 network-object X.Y.Z.0 255.255.255.0
 network-object X.Y.Z.0 255.255.255.0
 network-object X.Y.Z.0 255.255.255.0

object service tcp23
 service tcp source eq telnet

I'm getting this strange warning:

WARNING: service object "tcp23" is not wildchar.
WARNING: service object "tcp23" is not wildchar.
WARNING: service object "tcp23" is not wildchar.

Why is that? What does that mean? Google search isn't helpful.

3 people had this problem
Labels:
0 Helpful
3 Replies 3

Syed Taukir
Level 1
Level 1

‎01-29-2016 07:01 AM

Hi

Do not use port range in a object when using dynamic PAT. The source port has to be ANY. To control access using source port, then use access-group command.

This behavior has been changed after 8.6 release

HTH

Syed (TAC-FW)

0 Helpful

Jacob Zartmann
Level 1
Level 1
In response to Syed Taukir

‎10-05-2016 05:14 AM

What if you want to nat the port:

object network X.Y.Z.4
host X.Y.Z.4
object service ftp
service tcp source eq ftp
object service ftp_proxy
service tcp source eq 8021
nat (inside,outside) 1 source dynamic rfc1918 X.Y.Z.4 destination static activeftpservers activeftpservers service ftp_proxy ftp

The goal is to translate tcp/8021 to tcp/21 when contacting the activeservers on port tcp/8021 from inside.

The activeftpservers is a group containing public addresses.

Thanks

/JZ

WarrenT-CO
Level 1
Level 1

‎02-15-2023 07:35 PM

Hey, the attached Cisco document help understand the configuration.  The specific configuration is below. Make sure you use the destination keyword when creating your service object group instead of source.    

 

object service REAL_SRC_SVC

service tcp destination eq telnet 8021

 

object service MAPPED_SRC_SVC

service tcp destination eq telnet 21

ciscoasa(config)# nat (inside,outside) source dynamic MyInsNet interface destination static Server1 Server1 service REAL_SRC_SVC MAPPED_SRC_SVC

 

Preview file
309 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card