ASA policy PAT and src/dst port considerations!!

geraghtyconor · ‎08-06-2012

static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255

What happens/is translated when a packet comes from the Internet destined for 4.2.2.2 with ..........

A:Src tcp port 1025 and dst tcp port 443

B: Src tcp port 443 and dst tcp port 1025

and, in the reverse direction from 10.1.2.3 back towards the internet

A:Src tcp port 1025 and dst tcp port 443

B: Src tcp port 443 and dst tcp port 1025

Or; does

static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255 only affect packets with dst tcp port 443

Or, my real question - will this policy NAT handle two way comms and in the manner TCP should work?

Julio Carvajal · ‎08-06-2012

What happens/is translated when a packet comes from the Internet destined for 4.2.2.2 with ..........

A) the packet will be redirected to 10.1.2.3 on port 443

B) The packet will be drop by the ASA as there is no port-forwarding for port 1025 ( just for 443)

and, in the reverse direction from 10.1.2.3 back towards the internet

A) Packet from a higher security level to a higher is going to be allowed by default if you have the right translation

B) The ASA will have already a entry on all of its table for this connection ( xlate,local-host and conn Table) so the traffic will be allowed without any inspection.

static (inside,outside) tcp 4.2.2.2 443 10.1.2.3 443 netmask 255.255.255.255 only affect packets with dst tcp port 443

Port-Forwarding is only for inbound connections, the outgoin packet for the same connection will hit this nat but if you start a new brand connection ( outbound) you will need a different nat

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC