8.3 Nat

Unanswered Question
Sep 4th, 2010

Is it possible to configure the ASA to forward a packet with a destintion port of 80 to a destination port of 8080, without translating the original destination IP address?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sat, 09/04/2010 - 04:54

Yes it is possible

Here it is for your example:

object network test
   nat (inside,outside) static service tcp 80 8080

s.nicholls Sat, 09/04/2010 - 11:44

I tried this and I get back this error message in the logs ASA-5-305013
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside: dst SF1-Interface: denied due to NAT reverse path failure

Kureli Sankar Sun, 09/05/2010 - 18:43

If you inside server is listening on 8080 then the example should be like this.

object network test
   nat (inside,outside) static service tcp 8080 80

Follow this link: https://supportforums.cisco.com/docs/DOC-9129

Regarding the syslog that you are seeing you can refer this link: https://supportforums.cisco.com/docs/DOC-12569

Pls. collect the output of the following:

Outside: dst SF1-Interface:

  packet-tracer input Outside tcp 11199 80 det

  packet-tracer input SF1-Interface tcp 80 11199  det

See the section towards the end where it says dropped and check the reason and the nat line that it is matching.

Post the output if you have questions.



This Discussion