ā12-09-2013 03:18 AM - edited ā03-11-2019 08:14 PM
hello
We have cisco ASA in our enviroment running 9.1.3 we have prepaired two static nat rules for same purpose but one with specific port , just anted opion which one is better option I was planning to use second option only worry was will there be extra overhead on ASA if I use this option .
As i have 50 nat rules will there be lot of impact on memory usage of ASA if I use second option
1)source any sourceport any destination 4.2.2.1 translated destination 10.2.2.1 port any
2)source any sourceport any destination 4.2.2.1 translated destination 10.2.2.1 port https
thanks for help
Solved! Go to Solution.
ā12-09-2013 04:08 AM
Hi,
The second ACL line is not valid configuration format
access-list
If you wanted to allow TCP traffic with ANY destination port then you simpyl leave the "eq any" out of the ACL
access-list
But I wouldnt suggest using this rule as there is no reason to allow all TCP connections to your server. Only the ones that its needs hosted to the external network.
I dont think there is really noticiable difference in the amount of resources such an ACL line/rule would consume.
Notice that the above ACL doesnt have anything to do with the actual NAT operation.
The below is the suggested Static NAT
object network SERVER
host
nat (inside,outside) static
If you wanted to instead forward a single port then you would configure Static PAT
object network SERVER
host
nat (inside,outside) static
But again NAT shouldnt really be used to limit the ports. That is what the interface ACLs are for that I mentioned above.
I dont see there being much different in terms of resources comparing the above NAT configurations. I just prefer using Static NAT if possible as it keeps the configurations simple.
If the server was hosting services on multiple ports then you would either need a single Static NAT or Static PAT configuration for ALL the ports required.
- Jouni
ā12-09-2013 03:26 AM
Hi,
Could you clarify the situation a bit? What kind of NAT are you trying to achieve?
Have you done some configurations on the ASA already that you could share with us also? Preferably in CLI format.
If you are wondering between Static NAT and Static PAT (Port Forward) then I don't think there is much difference in their effect on the ASA performance for it to make a difference.
If you are doing translations from LAN to WAN then I would prefer Static NAT if you have enough public IP addresses available. If you are low on public IP addresses then Static PAT is usually used.
If you are doing translation between 2 local/private networks then Static NAT would probably be the best choice so you dont needlesly complicatet the configurations.
But as I said, it would be good to get a description on what you are actually trying to achieve. I am not sure if I understand the above listed options.
- Jouni
ā12-09-2013 03:30 AM
hello thanks for reply . we are just doing static nat for incoming traffic coming to internet exposed server which is only lisning on port 443
ā12-09-2013 03:38 AM
Hi,
If you simply need a Static NAT for your internal server to a public NAT IP address then you can use this format
object network SERVER
host
nat (inside,outside) static
Do notice that the "object" name and the interface names used in the above configurations can be different depending on your setup.
Naturally you then have to add a rule to your ACL that is attache to your "outside" interface (or the corresponding interface if named differently) and allow the HTTPS traffic
access-list
access-list
Was this what you were after?
After you have created a Static NAT rule and allow the traffic you can test if it works with the "packet-tracer" command
packet-tracer input outside tcp 8.8.8.8 12345
Notice again that your interface "outside" might be named differently.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
ā12-09-2013 04:01 AM
hello
thanks for detailed reply . my query was bit different not sure if its valid query or not ,
what I was after if we put https in place of ANY in port any what is impact on memory of ASA if we have 50 rules like this
access-list
or
access-list
thanks for help
ā12-09-2013 04:08 AM
Hi,
The second ACL line is not valid configuration format
access-list
If you wanted to allow TCP traffic with ANY destination port then you simpyl leave the "eq any" out of the ACL
access-list
But I wouldnt suggest using this rule as there is no reason to allow all TCP connections to your server. Only the ones that its needs hosted to the external network.
I dont think there is really noticiable difference in the amount of resources such an ACL line/rule would consume.
Notice that the above ACL doesnt have anything to do with the actual NAT operation.
The below is the suggested Static NAT
object network SERVER
host
nat (inside,outside) static
If you wanted to instead forward a single port then you would configure Static PAT
object network SERVER
host
nat (inside,outside) static
But again NAT shouldnt really be used to limit the ports. That is what the interface ACLs are for that I mentioned above.
I dont see there being much different in terms of resources comparing the above NAT configurations. I just prefer using Static NAT if possible as it keeps the configurations simple.
If the server was hosting services on multiple ports then you would either need a single Static NAT or Static PAT configuration for ALL the ports required.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide