Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1072
Views
0
Helpful
2
Replies

Port redirection question

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-29-2010 09:55 AM - edited ‎03-11-2019 10:03 AM

Hi All,

I have an ASA doing port redirection as follows:

static (inside,outside) tcp 2.2.2.2 80 192.168.10.2 8080

static (inside,outside) tcp 2.2.2.2 25 192.168.10.3 2525

So, whatever traffic comes to IP 2.2.2.2 on port 80 is redirected to IP 192.168.10.2 to port 8080, and traffic coming to the same IP on port 25, is redirected to IP 192.168.10.3 on port 2525.

This works perfectly. But my problem is the following:

Traffic sourced from IPs 192.168.10.2 and 192.168.10.3 to the Internet, is not translated to 2.2.2.2, but to the IP of the outside interface of the ASA (because I'm doing PAT for outbound traffic). So, I'm having a normal behavior.

My question is just this:

I want confirmation that the static statements above apply only for inbound traffic.

And, is there a way to make the outgoing traffic NATed to the IP 2.2.2.2 for these servers?

Something like:

nat (inside) 5 192.168.10.2 255.255.255.255

nat (inside) 5 192.168.10.3 255.255.255.255

global (outside) 5 2.2.2.2

To make the NAT consistent?

Thank you!!

Federico.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-29-2010 10:06 AM

You are correct and this is your solution.

nat (inside) 5 192.168.10.2 255.255.255.255

nat (inside) 5 192.168.10.3 255.255.255.255

global (outside) 5 2.2.2.2

Now, why with just the static pat for outbound translation it doesn't get translated to 2.2.2.2

Think of this the server 192.168.10.3 going to google. Its source port for example is 33333 and the destination is 80 will it match your static?

static (inside,outside) tcp 2.2.2.2 25 192.168.10.3 2525

Absolutely not.

If you have this static 1-1

static (inside,outside) 2.2.2.2 25 192.168.10.3

Then it will work for both incoming and out going.

I hope I explained it such that you understand if perfectly.

-KS

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-29-2010 10:06 AM

You are correct and this is your solution.

nat (inside) 5 192.168.10.2 255.255.255.255

nat (inside) 5 192.168.10.3 255.255.255.255

global (outside) 5 2.2.2.2

Now, why with just the static pat for outbound translation it doesn't get translated to 2.2.2.2

Think of this the server 192.168.10.3 going to google. Its source port for example is 33333 and the destination is 80 will it match your static?

static (inside,outside) tcp 2.2.2.2 25 192.168.10.3 2525

Absolutely not.

If you have this static 1-1

static (inside,outside) 2.2.2.2 25 192.168.10.3

Then it will work for both incoming and out going.

I hope I explained it such that you understand if perfectly.

-KS

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-29-2010 10:28 AM

Perfect!

Thank you.

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card