01-27-2012 06:27 PM - edited 03-11-2019 03:20 PM
I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
**************************************
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
***************************************
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..
01-28-2012 12:24 AM
Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts
01-28-2012 08:10 AM
This was not the behavior in 8.2 and previous correct? it would be great if there was a packet flow order of operation including nat for before 8.2 and after.
01-28-2012 09:46 AM
Hello,
Correct,on 8.2 is different.
The best think I can provide you is this link, it will explain all the differences on 8.3.
https://supportforums.cisco.com/docs/DOC-12690
Regards,
Julio
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide