Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

firewall nat

Hi,

Is it possible to do nat on firewall with nat on udp ports. if there are certain servers running service on udp port , will external access work if

we configure nat for udp access.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: firewall nat

Yes.

As you mentioned since TCP is stateful, the ASA can track the connection state and control the traffic in this way.

For UDP since it is stateless, the ASA uses short-timers to track the UDP connections.

If in a short period, there's a reply with the same source IP, source port, destination IP and destination port as the originated connection, the ASA will allow the connection through.

Federico.

5 REPLIES
Cisco Employee

Re: firewall nat

Yes certainly.

example:

static (inside,outside) udp interface tftp 192.168.2.2 tftp netmask 255.255.255.255

static (inside,dmz) udp interface 165 192.168.2.2 snmp netmask 255.255.255.255

static (inside,outside) udp interface syslog 192.168.2.2 syslog netmask 255.255.255.255

-KS

New Member

Re: firewall nat

Thanks for the reply. If am not wrong, this would also mean , putting a rule on outside interface for the traffic to be allowed from external sources to hit these internal ones on required udp ports?

Also, since the query is on udp ports , i believe sometimes we might need to allow the rule bidirectionally on the firewall for the connection to be successful.

Please correct me if am wrong , appreciate all your assistance!

Cisco Employee

Re: firewall nat

If the connection is initiated from the outside always you only need to allow the udp port on the outside ACL. The firewall will open up the return path for

the UDP connection (same ips and ports).

I hope it helps.

PK

New Member

Re: firewall nat

Ok, but since udp is sort of stateless as compared to tcp. Would firewall still allow it through with the state table.

Thanks!

Re: firewall nat

Yes.

As you mentioned since TCP is stateful, the ASA can track the connection state and control the traffic in this way.

For UDP since it is stateless, the ASA uses short-timers to track the UDP connections.

If in a short period, there's a reply with the same source IP, source port, destination IP and destination port as the originated connection, the ASA will allow the connection through.

Federico.

243
Views
8
Helpful
5
Replies