Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Outbound NAT for one Port Only

Hi All,

I have a Cisco ASA 5510 and would like to setup a NAT rule for one server but only for traffic that matches a destination with a specific IP and Port. Is this possible? 

The reason I ask is because I have one application that requires a connection to a VPN tunnel from a specific IP, so if I setup the Outbound NAT, all traffic then matches and gets translated, but this breaks all the other applications we have in place. I just want this one application on one specific port to be translated to the IP and then sent over the VPN connection.

Any help would be greatly appreciated! If you need more information, please let me know.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

This is the example on Cisco

This is the example on Cisco doc to do what you want.

It has an example with a port range and one with a single port. For your situation you should create two "NATs" with single port, one for 333 and one for 4444

 

object-group network og-net-src
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
network-object 209.165.201.0 255.255.255.224
object network obj-209.165.200.225
host 209.165.200.225
object service obj_tcp_range_2001_65535
service tcp destination range 2001 65535
object service obj_tcp_eq_1500
service tcp destination eq 1500
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_range_2001_65535
obj_tcp_range_2001_65535
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_eq_1500 obj_tcp_eq_1500

6 REPLIES
Bronze

Yes, it is possible.What

Yes, it is possible.

What software version are you using?

The configuration changes from 8.2 and below to 8.3 and higher.

 

Silver

8.2 configuration: access

8.2 configuration:

 

access-list policy_static_PAT permit tcp host <local_host_ip> eq <port_#> host <remote_server_ip>

static (outside,inside) tcp translated_IP port access-list policy_static_PAT

 

8.3 configuration:

 

 

On 8.3 you need to do it with double NAT:

This is just an example with TCP port:

 

enable

config t

 

object service obj_service_1

tcp source eq <port>

 

object service obj_service_2

tcp source eq <port>

 

If it is going through a tunnel I guess that you are not doing NAT:

 

nat (inside,outside) source static any any destination static obj_translated obj_private service obj_service_1 object_service_2

 

or

 

You can also do it for a specific network with object network

 

Object network local_subnet

 subnet <network_IP> <network_subnet>

 

nat (inside,outside) source static local_subnet local_subnet destination static obj_translated obj_private service obj_service_1 object_service_2

 

FYI: You can also translate the local subnet to something else other than its real network IP.

 

You can do this with PAT using the outside interface:

nat (inside,outside) source dynamic any interface destination static obj_translated obj_private service obj_service object_service

Value our effort and rate the assistance!
New Member

Thank you! We are running 8.4

Thank you! We are running 8.4.

Basically what I am trying to achieve is this:

Internal Server (192.168.1.22) creates a session with external server (111.222.111.222) on ports TCP 333 and TCP 444. To access the external server a VPN is established, however the Internal Server must present the source IP as 222.33.222.33 to the external server.

I therefore only want NAT translation to occur on this server when using this application on ports 333 and 4444. Any other applications on that server should not go through NAT translation.

What is the best way to achieve that?

 

Bronze

This is the example on Cisco

This is the example on Cisco doc to do what you want.

It has an example with a port range and one with a single port. For your situation you should create two "NATs" with single port, one for 333 and one for 4444

 

object-group network og-net-src
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
network-object 209.165.201.0 255.255.255.224
object network obj-209.165.200.225
host 209.165.200.225
object service obj_tcp_range_2001_65535
service tcp destination range 2001 65535
object service obj_tcp_eq_1500
service tcp destination eq 1500
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_range_2001_65535
obj_tcp_range_2001_65535
nat (inside,outside) source dynamic og-net-src obj-209.165.200.225 destination
static og-net-dst og-net-dst service obj_tcp_eq_1500 obj_tcp_eq_1500

Silver

Hello devereauxj, Please rate

Hello

 

Value our effort and rate the assistance!
New Member

This has appeared to resolve

This has appeared to resolve our issue. Thank you very much!

150
Views
0
Helpful
6
Replies