Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1087
Views
0
Helpful
3
Replies

static nat with port redirection 8.3 access-list using un-nat port?

jgibb
Level 1
Level 1

‎01-27-2012 06:27 PM - edited ‎03-11-2019 03:20 PM

I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3

**************************************

object network obj-10.1.1.5-06

nat (inside,outside) static interface service tcp 3389 3398

object network obj-10.1.1.5-06

host 10.1.1.5

access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)

access-group outside_access_in in interface outside

***************************************

So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?

Thanks in advance..

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-28-2012 12:24 AM

Hello,

I would be more than glad to explain you what is going on!

The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.

After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.

Regards,

Julio

Rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jgibb
Level 1
Level 1
In response to Julio Carvajal

‎01-28-2012 08:10 AM

This was not the behavior in 8.2 and previous correct? it would be great if there was a packet flow order of operation including nat for before 8.2 and after.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jgibb

‎01-28-2012 09:46 AM

Hello,

Correct,on 8.2 is different.

The best think I can provide you is this link, it will explain all the differences on 8.3.

https://supportforums.cisco.com/docs/DOC-12690

Regards,

Julio

Do rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card