09-04-2010 04:31 AM - edited 03-11-2019 11:34 AM
Is it possible to configure the ASA to forward a packet with a destintion port of 80 to a destination port of 8080, without translating the original destination IP address?
09-04-2010 04:54 AM
Yes it is possible
Here it is for your example:
object network test
host 1.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 80 8080
09-04-2010 11:44 AM
I tried this and I get back this error message in the logs ASA-5-305013
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:94.14.239.49/11199 dst SF1-Interface:109.74.241.215/80 denied due to NAT reverse path failure
09-05-2010 06:43 PM
If you inside server is listening on 8080 then the example should be like this.
object network test
host 1.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 8080 80
Follow this link: https://supportforums.cisco.com/docs/DOC-9129
Regarding the syslog that you are seeing you can refer this link: https://supportforums.cisco.com/docs/DOC-12569
Pls. collect the output of the following:
Outside:94.14.239.49/11199 dst SF1-Interface:109.74.241.215/80
packet-tracer input Outside tcp 94.14.239.49 11199 109.74.241.215 80 det
packet-tracer input SF1-Interface tcp 109.74.241.215 80 94.14.239.49 11199 det
See the section towards the end where it says dropped and check the reason and the nat line that it is matching.
Post the output if you have questions.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide