Solved: nat translation destination port

amit bhatnagar · ‎12-09-2013

hello

We have cisco ASA in our enviroment running 9.1.3 we have prepaired two static nat rules for same purpose but one with specific port , just anted opion which one is better option I was planning to use second option only worry was will there be extra overhead on ASA if I use this option .
As i have 50 nat rules will there be lot of impact on memory usage of ASA if I use second option
1)source any sourceport any destination 4.2.2.1 translated destination 10.2.2.1 port any
2)source any sourceport any destination 4.2.2.1 translated destination 10.2.2.1 port https

thanks for help

Jouni Forss · ‎12-09-2013

Hi,

The second ACL line is not valid configuration format

access-list permit tcp any object SERVER eq any

If you wanted to allow TCP traffic with ANY destination port then you simpyl leave the "eq any" out of the ACL

access-list permit tcp any object SERVER

But I wouldnt suggest using this rule as there is no reason to allow all TCP connections to your server. Only the ones that its needs hosted to the external network.

I dont think there is really noticiable difference in the amount of resources such an ACL line/rule would consume.

Notice that the above ACL doesnt have anything to do with the actual NAT operation.

The below is the suggested Static NAT

object network SERVER

host

nat (inside,outside) static

If you wanted to instead forward a single port then you would configure Static PAT

object network SERVER

host

nat (inside,outside) static service tcp 443 443

But again NAT shouldnt really be used to limit the ports. That is what the interface ACLs are for that I mentioned above.

I dont see there being much different in terms of resources comparing the above NAT configurations. I just prefer using Static NAT if possible as it keeps the configurations simple.

If the server was hosting services on multiple ports then you would either need a single Static NAT or Static PAT configuration for ALL the ports required.

- Jouni

View solution in original post

Jouni Forss · ‎12-09-2013

Hi,

Could you clarify the situation a bit? What kind of NAT are you trying to achieve?

Have you done some configurations on the ASA already that you could share with us also? Preferably in CLI format.

If you are wondering between Static NAT and Static PAT (Port Forward) then I don't think there is much difference in their effect on the ASA performance for it to make a difference.

If you are doing translations from LAN to WAN then I would prefer Static NAT if you have enough public IP addresses available. If you are low on public IP addresses then Static PAT is usually used.

If you are doing translation between 2 local/private networks then Static NAT would probably be the best choice so you dont needlesly complicatet the configurations.

But as I said, it would be good to get a description on what you are actually trying to achieve. I am not sure if I understand the above listed options.

- Jouni

amit bhatnagar · ‎12-09-2013

hello thanks for reply . we are just doing static nat for incoming traffic coming to internet exposed server which is only lisning on port 443

Jouni Forss · ‎12-09-2013

Hi,

If you simply need a Static NAT for your internal server to a public NAT IP address then you can use this format

object network SERVER

host

nat (inside,outside) static

Do notice that the "object" name and the interface names used in the above configurations can be different depending on your setup.

Naturally you then have to add a rule to your ACL that is attache to your "outside" interface (or the corresponding interface if named differently) and allow the HTTPS traffic

access-list remark Allow HTTPS

access-list permit tcp any object SERVER eq https

Was this what you were after?

After you have created a Static NAT rule and allow the traffic you can test if it works with the "packet-tracer" command

packet-tracer input outside tcp 8.8.8.8 12345 443

Notice again that your interface "outside" might be named differently.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

amit bhatnagar · ‎12-09-2013

hello

thanks for detailed reply . my query was bit different not sure if its valid query or not ,

what I was after if we put https in place of ANY in port any what is impact on memory of ASA if we have 50 rules like this

access-list permit tcp any object SERVER eq https

or

access-list permit tcp any object SERVER eq any

thanks for help

Jouni Forss · ‎12-09-2013

Hi,

The second ACL line is not valid configuration format

access-list permit tcp any object SERVER eq any

If you wanted to allow TCP traffic with ANY destination port then you simpyl leave the "eq any" out of the ACL

access-list permit tcp any object SERVER

But I wouldnt suggest using this rule as there is no reason to allow all TCP connections to your server. Only the ones that its needs hosted to the external network.

I dont think there is really noticiable difference in the amount of resources such an ACL line/rule would consume.

Notice that the above ACL doesnt have anything to do with the actual NAT operation.

The below is the suggested Static NAT

object network SERVER

host

nat (inside,outside) static

If you wanted to instead forward a single port then you would configure Static PAT

object network SERVER

host

nat (inside,outside) static service tcp 443 443

But again NAT shouldnt really be used to limit the ports. That is what the interface ACLs are for that I mentioned above.

I dont see there being much different in terms of resources comparing the above NAT configurations. I just prefer using Static NAT if possible as it keeps the configurations simple.

If the server was hosting services on multiple ports then you would either need a single Static NAT or Static PAT configuration for ALL the ports required.

- Jouni