cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1487
Views
0
Helpful
5
Replies

setup single port exclusion for static NAT?

scottmlew
Level 1
Level 1

I have been using static NAT to map between a single server behind an ASA 5505 and a single public IP address. In other words, I've been doing this:

object network NAT_ME

nat (inside,outside) static interface

Now I would like to start using the clientless VPN feature of the ASA, so I of course don't want that particular port forwarded to the server. Is there a way to define such an exclusion? I've tried several things, including setting up a separate NAT rule to direct that port back to the ASA's interface, without luck.

If that is not possible, what configuration would I need to move to in order to get the behavior that I want? It is important that all (non-VPN) traffic is passed exactly as it arrives at the firewall (whether it is coming from internal or external), with the exception of changing the IP address (i.e., I need static port mappings for some of my services).

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

You are correct, you would need to configure static PAT instead of static NAT for your server.

Are the a lot of ports that you need to access from the internet for that server?

Sadly, that's what I thought.

I seem to have that setup working now. I don't have that many ports, I suppose, but this just seems like a pretty clumsy way to do it.

It appears that the ASA is preserving the source port, even when I use "dynamic" -- is that correct?

What do you mean?

Which command did you configure the dynamic one?

If you are configuring static PAT, then it needs to be static, instead of dynamic. I am assuming that you are talking about a different configuration?

Now I have a set of commands that looks like this (this is just a small excerpt):

object network OUTBOUND_NAT

host 10.0.0.10

object network ISA_EXCH

host 10.0.0.10

...

object network OUTBOUND_NAT

nat (inside,outside) dynamic interface

object network ISA_EXCH

nat (inside,outside) static interface service tcp https https

When I do this, even the NAT'd outbound traffic (handled by the "nat (inside,outside) dynamic interface") is having its source port preserved (which is good, it is what I want!). The Cisco docs confirm that this is the expected behavior, but many (most?) NAT solutions (at least that I've worked with) will not preserve the source port with dynamic NAT unless explicitly configured to do so.

Yes, you are right. With the new NAT, it was designed so it does preserve the source port.

Review Cisco Networking for a $25 gift card