Solved: Re: firewall nat

suthomas1 · ‎06-09-2010

Hi,

Is it possible to do nat on firewall with nat on udp ports. if there are certain servers running service on udp port , will external access work if

we configure nat for udp access.

Thanks!

Federico Coto Fajardo · ‎06-14-2010

Yes.

As you mentioned since TCP is stateful, the ASA can track the connection state and control the traffic in this way.

For UDP since it is stateless, the ASA uses short-timers to track the UDP connections.

If in a short period, there's a reply with the same source IP, source port, destination IP and destination port as the originated connection, the ASA will allow the connection through.

Federico.

View solution in original post

Kureli Sankar · ‎06-09-2010

Yes certainly.

example:

static (inside,outside) udp interface tftp 192.168.2.2 tftp netmask 255.255.255.255

static (inside,dmz) udp interface 165 192.168.2.2 snmp netmask 255.255.255.255

static (inside,outside) udp interface syslog 192.168.2.2 syslog netmask 255.255.255.255

-KS

suthomas1 · ‎06-12-2010

Thanks for the reply. If am not wrong, this would also mean , putting a rule on outside interface for the traffic to be allowed from external sources to hit these internal ones on required udp ports?

Also, since the query is on udp ports , i believe sometimes we might need to allow the rule bidirectionally on the firewall for the connection to be successful.

Please correct me if am wrong , appreciate all your assistance!

Panos Kampanakis · ‎06-14-2010

If the connection is initiated from the outside always you only need to allow the udp port on the outside ACL. The firewall will open up the return path for

the UDP connection (same ips and ports).

I hope it helps.

PK

suthomas1 · ‎06-14-2010

Ok, but since udp is sort of stateless as compared to tcp. Would firewall still allow it through with the state table.