Port Redirection

networker99 · ‎08-04-2009

Am I correct in thinking that Port Redirection should only be used when the return traffic (from the inside server sending back out to the internet) will be sent back on the IP address it was recieved on. So for instance traffic is sent to 1.1.1.1 it is recieved by the firewall and sends telnet traffic to one server and FTP to another but when either server respond to the internet traffic they PAT to 1.1.1.1. Therefore it would not be valid configuration to have traffic port redirected to a server that already has a NAT on the firewall as the traffic will be sent back out using the NAT address and could be blocked by the senders firewall as it will be seen to come from a different IP address than what it was sent to?

Thanks in advance!

srue · ‎08-04-2009

static PAT takes precedence over nat overloading. so your servers should respond from the same IP/port as is in the static PAT statement.

if traffic is originated from a server (eg general internet traffic like www), then NAt overloading applies, not static PAT.

if you have static pat configured for ftp, for instance, incoming ftp will work just fine, and the server will respond using the static pat address/port combination.

http://partnerwiki.cisco.com/ViewWiki/index.php/Network_Address_Translation_%28NAT%29_order_of_operation_in_the_PIX_Firewall

networker99 · ‎08-04-2009

okay, so if a connection is port redirected the return traffic will also go out on that port correct?..

Therefore hypothetically if it returned it on the NAT'd address this would cause issues correct?

networker99 · ‎08-04-2009

does static NAT take precedence over static PAT?

srue · ‎08-04-2009

you can't even configure both simultaneously.

asa(config)# static (inside,outside) 1.1.1.1 10.0.0.102

asa(config)# static (inside,outside) tcp 1.1.1.2 3389 10.0.0.102 3389

ERROR: duplicate of existing static

inside:10.0.0.102 to outside:1.1.1.1 netmask 255.255.255.255