08-12-2013 09:22 PM - edited 03-11-2019 07:24 PM
Hi Everyone,
I need to configure NAT on Cisco ASA 5520 and NAT has to translate inside ip address to outside ip address with a specific range of ports.
How can I do it?
Regards,
Evgenii
Solved! Go to Solution.
08-13-2013 01:18 AM
Hi,
I have not used such a NAT before personally but I would imagine it would be configured something like this
CONFIGURATION
object network HOST-A
host 10.0.0.150
object network HOST-B
host 1.1.1.1
object service REAL-PORTS
service tcp source range 0 65535 destination range 0 65535
object service MAPPED-PORTS
service tcp source range 2000 2020 destination range 0 65535
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
TEST
ASA(config)# packet-tracer input LAN tcp 10.0.0.150 12345 1.1.1.1 1000
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
NAT divert to egress interface WAN
Untranslate 1.1.1.1/1000 to 1.1.1.1/1000
! Destination parameters are unchanged as per configurations. NAT configuration only applies to destination IP address 1.1.1.1
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Static translate 10.0.0.150/12345 to
/2018 ! Real Source port is translated to one port from Mapped Source range
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1014220, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow
- Jouni
08-12-2013 10:25 PM
Hello,
First of all,
what version are U running?
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-12-2013 10:32 PM
I use the Cisco ASA 5520 with version 8.4(5)
08-12-2013 11:24 PM
Sorry for the long wait
Was creating a blog post just for you,
Check it out at http://www.laguiadelnetworking.com/how-to-create-a-nat-translation-for-a-range-of-ports-on-asa-8-3-and-higher-software/
And let me know what you think
Cheers,
Julio Carvajal Segura
08-13-2013 12:29 AM
Julio, There's good information!
But I need to realisation the following situation:
1. I send packet from A to B
2. ASA does change source ip-address to 10.0.20.1 and change source port to any port form range 2000-2020
3. B sees packet with ip 10.0.20.1 and port 2001
I can't find information how configure this construction=(
Regards,
Evgenii
08-13-2013 12:37 AM
Hi,
Just out of interest, why would you want to do so that when a Host A connects to Host B that Host A address should be NATed and also its source port should be NATed to some specific range?
Or did I understand the above situation wrong?
- Jouni
08-13-2013 12:49 AM
Hi Jouni,
I have a few hosts in inside LAN, only one ip-address in outside. And I need to a unique idetification this hosts in outside. Therefore I want to use the range port as identificator.
08-13-2013 01:18 AM
Hi,
I have not used such a NAT before personally but I would imagine it would be configured something like this
CONFIGURATION
object network HOST-A
host 10.0.0.150
object network HOST-B
host 1.1.1.1
object service REAL-PORTS
service tcp source range 0 65535 destination range 0 65535
object service MAPPED-PORTS
service tcp source range 2000 2020 destination range 0 65535
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
TEST
ASA(config)# packet-tracer input LAN tcp 10.0.0.150 12345 1.1.1.1 1000
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
NAT divert to egress interface WAN
Untranslate 1.1.1.1/1000 to 1.1.1.1/1000
! Destination parameters are unchanged as per configurations. NAT configuration only applies to destination IP address 1.1.1.1
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Static translate 10.0.0.150/12345 to
/2018 ! Real Source port is translated to one port from Mapped Source range
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1014220, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow
- Jouni
08-13-2013 01:23 AM
Thank Jouni very much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide