Solved: port redirection using the same public ip

sandevsingh · ‎12-16-2013

Hi,

can you do a static NAT using the same public ip so that it goes to different internal ips on different port numbers.? Something like a port-redirection. For example, the public ip:100.100.100.100/443 goes to 10.10.10.1/443 AND 100.100.100.100/8443 goes to 10.10.10.2/443.

Jouni Forss · ‎12-16-2013

Hi,

Yes, since we are doing Auto NAT / Network Object NAT (the ones configured under "object" configurations) that means the ASA will order the NAT rules based on predefined rules.

I think in your case it comes down perhaps to the last determining factor which is the "object" name (alphabetical order). They are otherwise the same but the other one ends with "1" and the other one with "2". This is why the "websrv1" one is working.

But this is NOT the actual problem. I think you have the ports configured the wrong way around.

The first port listed after the "service tcp" or "service udp" should be the local/real port. This is the port that is actually listening on the host/server. The second port listed should be the mapped/public port.

So the NAT under the "object network websrv2" should be

nat (to-nexus,Outside) static 100.100.100.100 service tcp https 8443

Try that and see if it works.

Notice that you can use the "?" after the "tcp" section of that command which will list if the next expected value is the real/local port or the mapped/public port.

- Jouni

View solution in original post

Jouni Forss · ‎12-16-2013

Hi,

Yes, that is possible. Do notice that the port TCP/443 for example on an ASA is used for both ASDM and SSL VPN on the external interface typically. So it might be worth not using it at all as a public/mapped port is at all possible.

Depending on your software level the NAT configuration for the Static PAT (Port Forward) might be different

Software level 8.2 (and below)

static (inside,outside) tcp interface netmask 255.255.255.255

Software level 8.3 (and above)

object network STATIC-PAT-TCPxxx

host

nat (inside,outside) static interface service

The above examples use the "outside" interface IP address as the NAT IP as we use the "interface" parameter. This would have to be placed with the actual NAT IP address if you are using some other IP address other than that which is configured on your actual interface.

Hope this helps

- Jouni

sandevsingh · ‎12-16-2013

Thnx Jouni,

I am on 8.4, if I use the same public IP (which is NOT the external int ip on the ASA) it gives me a warning, although it took the config -

WARNING: mapped-address 100.100.100.100/443 ovelap with existing static NAT.

Jouni Forss · ‎12-16-2013

Hi,

It would seem that you have already configured a Static NAT using the same public IP address.

A Static NAT would pair a local IP to a public/mapped IP. When talking about TCP/UDP it would essentially map each public port to the same local port on the local IP address.

So it would seem to me that you would better use some other public IP address.

Even though the ASA accepted the Static PAT (Port Forward) configuration it might be that the Static NAT overrides the Static PAT function so that it is never used. This depends on the way the Static NAT is configured and can only be told by looking at the configurations and/or perhaps using the "packet-tracer" command to test the configuration.

Do you have an extra public IP address that you could use as the Static PAT public IP address for all the translations you are attempting to do?

- Jouni

sandevsingh · ‎12-16-2013

Hi Jouni,

Yes, I have used the same public ip for a different static NAT, here is my config -

object network websrv1

nat (to-nexus,Outside) static 100.100.100.100 service tcp https https

object network websrv2

nat (to-nexus,Outside) static 100.100.100.100 service tcp 8443 https

I believe although it has taken the config, the order counts. Under "show nat", entry no.1 is what is taking preference and no hits on entry 2.

Auto NAT Policies (Section 2)

1 (to-nexus) to (Outside) source static websrv1 100.100.100.100 service tcp https https

translate_hits = 1, untranslate_hits = 11187

2 (to-nexus) to (Outside) source static websrv2 100.100.100.100 service tcp 8443 https

translate_hits = 0, untranslate_hits = 0

ANY THOUGHTS?

Jouni Forss · ‎12-16-2013

Hi,

Yes, since we are doing Auto NAT / Network Object NAT (the ones configured under "object" configurations) that means the ASA will order the NAT rules based on predefined rules.

I think in your case it comes down perhaps to the last determining factor which is the "object" name (alphabetical order). They are otherwise the same but the other one ends with "1" and the other one with "2". This is why the "websrv1" one is working.

But this is NOT the actual problem. I think you have the ports configured the wrong way around.

The first port listed after the "service tcp" or "service udp" should be the local/real port. This is the port that is actually listening on the host/server. The second port listed should be the mapped/public port.

So the NAT under the "object network websrv2" should be

nat (to-nexus,Outside) static 100.100.100.100 service tcp https 8443

Try that and see if it works.

Notice that you can use the "?" after the "tcp" section of that command which will list if the next expected value is the real/local port or the mapped/public port.

- Jouni

sandevsingh · ‎12-16-2013

Thanks for pointing that out, thats worked. !!!