Re: twice nat to map to forward a traffic from outside to inside changing service ports

Dark345 · ‎08-07-2019

Hi all

I'm on a 5506-X 9.9, is it possible to create a nat rule to map a range of public ports to a shifted range of inside ports.

I've tried this:

nat (outside,dmz) source static any any destination static interface REAL-IP service MAPPED REAL

where

MAPPED:

object service MAPPED
service tcp source range 17500 17550

REAL:

object service REAL
service tcp destination range 5900 5950

and obv an ACL

access-list OUTSIDE-IN line extended permit tcp any REAL-IP range 5900 5950

so that an host connecting to

public-ip:17500 it would connect to internal-ip:5900

public-ip:17501 it would connect to internal-ip:5901

Dark345 · ‎08-08-2019

solved by changing:

object service MAPPED
service tcp source range 17500 17550

to

object service MAPPED
service tcp destination range 17500 17550

as indeed I'm translating a range of destination ports..

Anyway this community is very useful and helpful, so far I've managed to find a solution myself for every problem I posted!

steven_dolan7 · ‎08-09-2019

It can look like this too :

This is DNAT

object network dmz-host
  host 10.0.0.1 
object network Public-IP
  host 100.1.0.1 
object service OUTSIDE-PORTs
  service tcp destination range 17500 17550
object service DMZ-PORTs
  service tcp destination range 18500 18550

nat (outside,dmz) source static any any destination static Public-IP dmz-host service OUTSIDE-PORTs DMZ-PORTs

This is SNAT

object network dmz-host
  host 10.0.0.1 
object network Public-IP
  host 100.1.0.1 
object service OUTSIDE-PORTs
  service tcp source range 17500 17550
object service DMZ-PORTs
  service tcp source range 18500 18550

nat (dmz,outside) source static dmz-host Public-IP service destination static any any  DMZ-PORTs OUTSIDE-PORTs

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html