Source PAT translation

Unanswered Question
Sep 14th, 2010

Hi there


I'm using a Cisco ASA 5510 and have a conneciton that needs to establish from the inside to the outside of the network.  The issue is the destination for the traffic requires a static source port for the traffic due to their company security policy.  Our appluication sourcing the traffic uses a random port when generating the traffic starting from 1024 to 65535.


I have prevously configured a linux box to to such a task where it changes the source port to the required value.  I am wondering if anyone has a confiugration example on how I could do this in an ASA usign either 8.2 or 8.3 ASA software.


the flow is below



                               INSIDE                                                        OUTSIDE


192.168.136.16  (random source port) ------->   ASA 5510  ---------> DEST IP (1.1.1.1) TCP port 2365




I need the source port to be 4000 as it leaves the outside interface of the ASA.  The outisde interface of the FW (10.1.4.190) is used when NATing the address I could however change this to a specific global address.


Any help would be appreciated.




Cheers
Donald Johson

Network Engineer

Airways NZ Ltd

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Tue, 09/14/2010 - 17:25

Hey Donald,


You can try using a Static policy PAT as below:


access-list POLICY permit tcp host 192.168.136.16 host 1.1.1.1 eq 2365

static (inside,outside) tcp interface 4000 access-list POLICY


I have a feeling that this command may not be accepted because in the access-list we do not have a "source port" parameter defined but give it a try anyways. Let me know how it goes!!


If it doesn't accept it, try using the below ACL instead:


access-list POLICY permit tcp host 192.168.136.16 gt 1023 host 1.1.1.1 eq  2365


Thanks and Regards,

Prapanch

don-robbery Tue, 09/14/2010 - 17:38

Thanks Prapanch


Yeah I had a go at that type of configuration in 8.2 a couple of days ago and neither is accepted.  The issue is the POLICY ACL needs to define a local port and for the second option the ASA can't deal with port ranges which is a real bummer.


I downloaded ASA software version 8.3 this morning as it can handle object groups with the new way NAT is handled however I have been unable to devise a solution due to my inexpereince with this version.


I've tried the following;


object service AFTN-Dst
   service tcp destination eq 4000

!

object service AFTN-Source-Ports
   service tcp source range 1023 65535

!

object network DEV-AMS
  host 192.168.136.16

!

nat (inside,outside) source dynamic AFTN_CLIENTS interface service AFTN-Dst AFTN-Source-Ports


Using packet tracer the source port continue to remain the same;


packet-tracer input AMSa tcp 192.168.136.16 1259 1.1.1.1 2365


<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302013: Built outbound TCP connection 29 for DMZ:1.1.1.1/2365 (1.1.1.1/2365) to AMSa:192.168.136.16/1259 (192.168.136.16/1259)
<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302014: Teardown TCP connection 29 for DMZ:1.1.1.1/2365 to AMSa:192.168.136.16/1259 duration 0:00:00 bytes 0 Free the flow created as result of packet injection


This configuration is completely new to me and I've not used 8.3 before today so its most likely wrong  .  Any ideas?

Actions

This Discussion