08-07-2019 12:25 PM - edited 08-07-2019 12:27 PM
Hi all
I'm on a 5506-X 9.9, is it possible to create a nat rule to map a range of public ports to a shifted range of inside ports.
I've tried this:
nat (outside,dmz) source static any any destination static interface REAL-IP service MAPPED REAL
where
MAPPED:
object service MAPPED
service tcp source range 17500 17550
REAL:
object service REAL
service tcp destination range 5900 5950
and obv an ACL
access-list OUTSIDE-IN line extended permit tcp any REAL-IP range 5900 5950
so that an host connecting to
public-ip:17500 it would connect to internal-ip:5900
public-ip:17501 it would connect to internal-ip:5901
08-08-2019 11:36 AM
solved by changing:
object service MAPPED
service tcp source range 17500 17550
to
object service MAPPED
service tcp destination range 17500 17550
as indeed I'm translating a range of destination ports..
Anyway this community is very useful and helpful, so far I've managed to find a solution myself for every problem I posted!
08-09-2019 07:25 AM - edited 08-09-2019 07:28 AM
It can look like this too :
This is DNAT
object network dmz-host host 10.0.0.1 object network Public-IP host 100.1.0.1
object service OUTSIDE-PORTs
service tcp destination range 17500 17550
object service DMZ-PORTs
service tcp destination range 18500 18550
nat (outside,dmz) source static any any destination static Public-IP dmz-host service OUTSIDE-PORTs DMZ-PORTs
This is SNAT
object network dmz-host host 10.0.0.1 object network Public-IP host 100.1.0.1
object service OUTSIDE-PORTs
service tcp source range 17500 17550
object service DMZ-PORTs
service tcp source range 18500 18550
nat (dmz,outside) source static dmz-host Public-IP service destination static any any DMZ-PORTs OUTSIDE-PORTs
Reference:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: