×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

port redirection using the same public ip

Answered Question
Dec 16th, 2013
User Badges:

Hi,

can you do a static NAT using the same public ip so that it goes to different internal ips on different port numbers.? Something like a port-redirection. For example, the public ip:100.100.100.100/443 goes to 10.10.10.1/443 AND 100.100.100.100/8443 goes to 10.10.10.2/443.    

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


Yes, since we are doing Auto NAT / Network Object NAT (the ones configured under "object" configurations) that means the ASA will order the NAT rules based on predefined rules.


I think in your case it comes down perhaps to the last determining factor which is the "object" name (alphabetical order). They are otherwise the same but the other one ends with "1" and the other one with "2". This is why the "websrv1" one is working.


But this is NOT the actual problem. I think you have the ports configured the wrong way around.


The first port listed after the "service tcp" or "service udp" should be the local/real port. This is the port that is actually listening on the host/server. The second port listed should be the mapped/public port.


So the NAT under the "object network websrv2" should be


nat (to-nexus,Outside) static 100.100.100.100 service tcp https 8443


Try that and see if it works.


Notice that you can use the "?" after the "tcp" section of that command which will list if the next expected value is the real/local port or the mapped/public port.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Mon, 12/16/2013 - 09:56
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Yes, that is possible. Do notice that the port TCP/443 for example on an ASA is used for both ASDM and SSL VPN on the external interface typically. So it might be worth not using it at all as a public/mapped port is at all possible.


Depending on your software level the NAT configuration for the Static PAT (Port Forward) might be different


Software level 8.2 (and below)


static (inside,outside) tcp interface netmask 255.255.255.255


Software level 8.3 (and above)


object network STATIC-PAT-TCPxxx

host

nat (inside,outside) static interface service


The above examples use the "outside" interface IP address as the NAT IP as we use the "interface" parameter. This would have to be placed with the actual NAT IP address if you are using some other IP address other than that which is configured on your actual interface.


Hope this helps


- Jouni

sandevsingh Mon, 12/16/2013 - 10:59
User Badges:

Thnx Jouni,

I am on 8.4, if I use the same public IP (which is NOT the external int ip on the ASA) it gives me a warning, although it took the config - 


WARNING: mapped-address 100.100.100.100/443 ovelap with existing static NAT.

Jouni Forss Mon, 12/16/2013 - 11:04
User Badges:
  • Super Bronze, 10000 points or more

Hi,


It would seem that you have already configured a Static NAT using the same public IP address.


A Static NAT would pair a local IP to a public/mapped IP. When talking about TCP/UDP it would essentially map each public port to the same local port on the local IP address.


So it would seem to me that you would better use some other public IP address.


Even though the ASA accepted the Static PAT (Port Forward) configuration it might be that the Static NAT overrides the Static PAT function so that it is never used. This depends on the way the Static NAT is configured and can only be told by looking at the configurations and/or perhaps using the "packet-tracer" command to test the configuration.


Do you have an extra public IP address that you could use as the Static PAT public IP address for all the translations you are attempting to do?


- Jouni

sandevsingh Mon, 12/16/2013 - 11:24
User Badges:

Hi Jouni,

Yes, I have used the same public ip for a different static NAT, here is my config -


object network websrv1

nat (to-nexus,Outside) static 100.100.100.100 service tcp https https

object network websrv2

nat (to-nexus,Outside) static 100.100.100.100 service tcp 8443 https


I believe although it has taken the config, the order counts. Under "show nat", entry no.1 is what is taking preference and no hits on entry 2. 


Auto NAT Policies (Section 2)

1 (to-nexus) to (Outside) source static websrv1 100.100.100.100   service tcp https https

    translate_hits = 1, untranslate_hits = 11187

2 (to-nexus) to (Outside) source static websrv2 100.100.100.100   service tcp 8443 https

    translate_hits = 0, untranslate_hits = 0


ANY THOUGHTS?

Correct Answer
Jouni Forss Mon, 12/16/2013 - 11:41
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Yes, since we are doing Auto NAT / Network Object NAT (the ones configured under "object" configurations) that means the ASA will order the NAT rules based on predefined rules.


I think in your case it comes down perhaps to the last determining factor which is the "object" name (alphabetical order). They are otherwise the same but the other one ends with "1" and the other one with "2". This is why the "websrv1" one is working.


But this is NOT the actual problem. I think you have the ports configured the wrong way around.


The first port listed after the "service tcp" or "service udp" should be the local/real port. This is the port that is actually listening on the host/server. The second port listed should be the mapped/public port.


So the NAT under the "object network websrv2" should be


nat (to-nexus,Outside) static 100.100.100.100 service tcp https 8443


Try that and see if it works.


Notice that you can use the "?" after the "tcp" section of that command which will list if the next expected value is the real/local port or the mapped/public port.


- Jouni

Actions

This Discussion