firewall nat

Answered Question
Jun 9th, 2010
User Badges:

Hi,


Is it possible to do nat on firewall with nat on udp ports. if there are certain servers running service on udp port , will external access work if

we configure nat for udp access.


Thanks!

Correct Answer by Federico Coto F... about 6 years 10 months ago

Yes.

As you mentioned since TCP is stateful, the ASA can track the connection state and control the traffic in this way.

For UDP since it is stateless, the ASA uses short-timers to track the UDP connections.

If in a short period, there's a reply with the same source IP, source port, destination IP and destination port as the originated connection, the ASA will allow the connection through.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Kureli Sankar Wed, 06/09/2010 - 04:04
User Badges:
  • Cisco Employee,

Yes certainly.


example:

static (inside,outside) udp interface tftp 192.168.2.2 tftp netmask 255.255.255.255

static (inside,dmz) udp interface 165 192.168.2.2 snmp netmask 255.255.255.255

static (inside,outside) udp interface syslog 192.168.2.2 syslog netmask 255.255.255.255


-KS

suthomas1 Sat, 06/12/2010 - 21:21
User Badges:

Thanks for the reply. If am not wrong, this would also mean , putting a rule on outside interface for the traffic to be allowed from external sources to hit these internal ones on required udp ports?

Also, since the query is on udp ports , i believe sometimes we might need to allow the rule bidirectionally on the firewall for the connection to be successful.


Please correct me if am wrong , appreciate all your assistance!

Panos Kampanakis Mon, 06/14/2010 - 14:43
User Badges:
  • Cisco Employee,

If the connection is initiated from the outside always you only need to allow the udp port on the outside ACL. The firewall will open up the return path for

the UDP connection (same ips and ports).


I hope it helps.


PK

suthomas1 Mon, 06/14/2010 - 19:42
User Badges:

Ok, but since udp is sort of stateless as compared to tcp. Would firewall still allow it through with the state table.


Thanks!

Correct Answer
Federico Coto F... Mon, 06/14/2010 - 20:03
User Badges:
  • Green, 3000 points or more

Yes.

As you mentioned since TCP is stateful, the ASA can track the connection state and control the traffic in this way.

For UDP since it is stateless, the ASA uses short-timers to track the UDP connections.

If in a short period, there's a reply with the same source IP, source port, destination IP and destination port as the originated connection, the ASA will allow the connection through.


Federico.

Actions

This Discussion