×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

nat translation destination port

Answered Question
Dec 9th, 2013
User Badges:

hello

We have cisco ASA in our enviroment running 9.1.3 we have prepaired two static nat rules for same purpose but one with specific port , just anted opion which one  is better option I was planning to use second option only worry was will there be extra overhead on ASA if I use this option .
As i have 50 nat rules will there be lot of impact on memory usage of ASA if I use second option
1)source any sourceport any destination 4.2.2.1 translated destination 10.2.2.1 port any
2)source any sourceport any destination 4.2.2.1 translated destination 10.2.2.1 port https

thanks for help

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


The second ACL line is not valid configuration format


access-list permit tcp any object SERVER eq any


If you wanted to allow TCP traffic with ANY destination port then you simpyl leave the "eq any" out of the ACL


access-list permit tcp any object SERVER


But I wouldnt suggest using this rule as there is no reason to allow all TCP connections to your server. Only the ones that its needs hosted to the external network.


I dont think there is really noticiable difference in the amount of resources such an ACL line/rule would consume.


Notice that the above ACL doesnt have anything to do with the actual NAT operation.


The below is the suggested Static NAT


object network SERVER

host

nat (inside,outside) static


If you wanted to instead forward a single port then you would configure Static PAT


object network SERVER

host

nat (inside,outside) static service tcp 443 443


But again NAT shouldnt really be used to limit the ports. That is what the interface ACLs are for that I mentioned above.


I dont see there being much different in terms of resources comparing the above NAT configurations. I just prefer using Static NAT if possible as it keeps the configurations simple.


If the server was hosting services on multiple ports then you would either need a single Static NAT or Static PAT configuration for ALL the ports required.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Mon, 12/09/2013 - 03:26
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Could you clarify the situation a bit? What kind of NAT are you trying to achieve?


Have you done some configurations on the ASA already that you could share with us also? Preferably in CLI format.


If you are wondering between Static NAT and Static PAT (Port Forward) then I don't think there is much difference in their effect on the ASA performance for it to make a difference.


If you are doing translations from LAN to WAN then I would prefer Static NAT if you have enough public IP addresses available. If you are low on public IP addresses then Static PAT is usually used.


If you are doing translation between 2 local/private networks then Static NAT would probably be the best choice so you dont needlesly complicatet the configurations.


But as I said, it would be good to get a description on what you are actually trying to achieve. I am not sure if I understand the above listed options.


- Jouni

amit bhatnagar Mon, 12/09/2013 - 03:30
User Badges:

hello thanks for reply .  we are just doing static nat for incoming traffic coming to internet exposed server which is only lisning on port 443

Jouni Forss Mon, 12/09/2013 - 03:38
User Badges:
  • Super Bronze, 10000 points or more

Hi,


If you simply need a Static NAT for your internal server to a public NAT IP address then you can use this format


object network SERVER

host

nat (inside,outside) static


Do notice that the "object" name and the interface names used in the above configurations can be different depending on your setup.


Naturally you then have to add a rule to your ACL that is attache to your "outside" interface (or the corresponding interface if named differently) and allow the HTTPS traffic


access-list remark Allow HTTPS

access-list permit tcp any object SERVER eq https


Was this what you were after?


After you have created a Static NAT rule and allow the traffic you can test if it works with the "packet-tracer" command


packet-tracer input outside tcp 8.8.8.8 12345 443


Notice again that your interface "outside" might be named differently.


Hope this helps


Please do remember to mark a reply as the correct answer if it answered your question.


Feel free to ask more if needed


- Jouni

amit bhatnagar Mon, 12/09/2013 - 04:01
User Badges:

hello

thanks for detailed reply . my query was bit different not sure if its valid query or not ,

what I was after if we put https in place of ANY in port any what is impact on memory of ASA if we have 50 rules like this


access-list permit tcp any object SERVER eq https

or

access-list permit tcp any object SERVER eq any

thanks for help

Correct Answer
Jouni Forss Mon, 12/09/2013 - 04:08
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The second ACL line is not valid configuration format


access-list permit tcp any object SERVER eq any


If you wanted to allow TCP traffic with ANY destination port then you simpyl leave the "eq any" out of the ACL


access-list permit tcp any object SERVER


But I wouldnt suggest using this rule as there is no reason to allow all TCP connections to your server. Only the ones that its needs hosted to the external network.


I dont think there is really noticiable difference in the amount of resources such an ACL line/rule would consume.


Notice that the above ACL doesnt have anything to do with the actual NAT operation.


The below is the suggested Static NAT


object network SERVER

host

nat (inside,outside) static


If you wanted to instead forward a single port then you would configure Static PAT


object network SERVER

host

nat (inside,outside) static service tcp 443 443


But again NAT shouldnt really be used to limit the ports. That is what the interface ACLs are for that I mentioned above.


I dont see there being much different in terms of resources comparing the above NAT configurations. I just prefer using Static NAT if possible as it keeps the configurations simple.


If the server was hosting services on multiple ports then you would either need a single Static NAT or Static PAT configuration for ALL the ports required.


- Jouni

Actions

This Discussion