Solved: about asa V8.4 nat service port use destination or source

hailin huang · ‎12-09-2013

hi ,

my inside web-server 192.168.1.1 8080 nat outside ip add 61.X.X.X 8080 .

object service real_svc8088

service tcp destination eq 8088

object service mapped_svc8088

service tcp destination eq 8088

nat (inside,ouside) source static local-1-1 remote-lan4 service real_svc8080 mapped_svc8088

is my object service use service tcp destination eq 8088 or service tcp source eq 8088?

i think service tcp destination eq 8088 is right,but not right。

why ?

------------------------------------------------------------

sorry ,write error.

all port is 8088

nat (inside,ouside) source static local-1-1 remote-lan4 service real_svc8088 mapped_svc8088

Jouni Forss · ‎12-09-2013

Hi,

Again, you mention port TCP/8080 but your configurations mention TCP/8088

There are 2 different ways to accomplish the Static PAT (Port Forward) configuration

The more typical that I use is

object network STATIC-PAT

host 192.168.1.1

nat (inside,outside) static service tcp 8080 8080

The one you are using should look like this

object network MAPPED-IP

host

object network LOCAL-IP

host

object service TCP8080

service tcp source eq 8080

nat (inside,outside) source static LOCAL-IP MAPPED-IP service TCP8080 TCP8080

I already mentioned the reason to use "source" instead of "destination".

First look at the format of the actual NAT command

nat (sourceint,destinationint) source static destination static service

The NAT configuration has its source parameters after the "source static" section. So if we want to modify the "source" sections REAL/MAPPED ports/services then we mention "source" in the "object service".

The "source" and "destination" in the "nat" command doesnt refer to the direction of the connection. I am not sure how to clearly describe it.

The main thing is not to mix up the "nat" commands "source" and "destination" with the same thing in the ACL/access-list configurations.

Your example

hostname(config-service-object)# service tcp source eq www destination eq ssh

Doesnt really mean anything by itself. It just defines the source and TCP/80 and destination as TCP/22. It depends where you use it.

If you used it in an ACL then it would mean that the source port for that rule would be TCP/80 and the destination port would be TCP/22 which I dont see as logical for an ACL rule. It doesnt seem logical to be used in a NAT configuration either.

If you used it in a NAT configuration then it would define the "source" real or mapped service as TCP/80 and the "destination" real or mapped service as TCP/22. Whether it means real or mapped again depends on where you have used the "object service" that contains this information. I mean if you have used the "object service" as the mapped or real "object" (Refer to the above format of the NAT configuration)

Hope this helps

Please do remember to mark replys as the correct answer if they answered your question.

- Jouni

View solution in original post

Jouni Forss · ‎12-09-2013

Hi,

What is the actual situation? In the start you mention only port TCP/8080 but then there is mention of TCP/8088?

Can you clarify the situation by telling us the correct real and mapped port?

For Static PAT (Port Forward) you will have to use the "service tcp source eq " for both the REAL and MAPPED "object"

This is because we are configuring the "source" parameters of the "nat" command as you can see from the "source static". And the "source" in this configuration is the actual host that we are configuring the Static PAT for. The "source" and "destination" are related only to the NAT configuation itself. It doesnt necesarily match the logic of the connection.

- Jouni

hailin huang · ‎12-09-2013

hi ,thank you.

my real want to mapping my inside servrer 192.168.1.1 port 8080 to outside 61.X.X.X port 8080

the outside user can access http://61.X.X.X:8080

the right config is :

object service real_svc8088

service tcp souce eq 8088

object service mapped_svc8088

service tcp souce eq 8088

nat (inside,ouside) source static local-1-1 remote-lan4 service real_svc8080 mapped_svc8088

i don not understand why use souce but not use destination.

if use service tcp destination eq 8088 ,what is this mean?

example:

hostname(config-service-object)# service tcp source eq www destination eq ssh

what this meaning?

Jouni Forss · ‎12-09-2013

Hi,

Again, you mention port TCP/8080 but your configurations mention TCP/8088

There are 2 different ways to accomplish the Static PAT (Port Forward) configuration

The more typical that I use is

object network STATIC-PAT

host 192.168.1.1

nat (inside,outside) static service tcp 8080 8080

The one you are using should look like this

object network MAPPED-IP

host

object network LOCAL-IP

host

object service TCP8080

service tcp source eq 8080

nat (inside,outside) source static LOCAL-IP MAPPED-IP service TCP8080 TCP8080

I already mentioned the reason to use "source" instead of "destination".

First look at the format of the actual NAT command

nat (sourceint,destinationint) source static destination static service

The NAT configuration has its source parameters after the "source static" section. So if we want to modify the "source" sections REAL/MAPPED ports/services then we mention "source" in the "object service".

The "source" and "destination" in the "nat" command doesnt refer to the direction of the connection. I am not sure how to clearly describe it.

The main thing is not to mix up the "nat" commands "source" and "destination" with the same thing in the ACL/access-list configurations.

Your example

hostname(config-service-object)# service tcp source eq www destination eq ssh

Doesnt really mean anything by itself. It just defines the source and TCP/80 and destination as TCP/22. It depends where you use it.

If you used it in an ACL then it would mean that the source port for that rule would be TCP/80 and the destination port would be TCP/22 which I dont see as logical for an ACL rule. It doesnt seem logical to be used in a NAT configuration either.

If you used it in a NAT configuration then it would define the "source" real or mapped service as TCP/80 and the "destination" real or mapped service as TCP/22. Whether it means real or mapped again depends on where you have used the "object service" that contains this information. I mean if you have used the "object service" as the mapped or real "object" (Refer to the above format of the NAT configuration)

Hope this helps

Please do remember to mark replys as the correct answer if they answered your question.

- Jouni

hailin huang · ‎12-09-2013

sorry ,i write error.

mention port TCP/8088 but your configurations mention TCP/8088

all are 8088

thank you .

Jouni Forss · ‎12-09-2013

Hi,

If the port is actually TCP/8088 then you naturally just replace the incorrect port TCP/8080 in the above configuration with it

object network STATIC-PAT

host 192.168.1.1

nat (inside,outside) static service tcp 8088 8088

OR

object network MAPPED-IP

host

object network LOCAL-IP

host

object service TCP8088

service tcp source eq 8088

nat (inside,outside) source static LOCAL-IP MAPPED-IP service TCP8088 TCP8088

And naturally you will have to allow this traffic on the "access-list" connected to your "outside" interface.

- Jouni