Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Port redirection question

Hi All,

I have an ASA doing port redirection as follows:

static (inside,outside) tcp 2.2.2.2 80 192.168.10.2 8080

static (inside,outside) tcp 2.2.2.2 25 192.168.10.3 2525

So, whatever traffic comes to IP 2.2.2.2 on port 80 is redirected to IP 192.168.10.2 to port 8080, and traffic coming to the same IP on port 25, is redirected to IP 192.168.10.3 on port 2525.

This works perfectly. But my problem is the following:

Traffic sourced from IPs 192.168.10.2 and 192.168.10.3 to the Internet, is not translated to 2.2.2.2, but to the IP of the outside interface of the ASA (because I'm doing PAT for outbound traffic). So, I'm having a normal behavior.

My question is just this:

I want confirmation that the static statements above apply only for inbound traffic.

And, is there a way to make the outgoing traffic NATed to the IP 2.2.2.2 for these servers?

Something like:

nat (inside) 5 192.168.10.2 255.255.255.255

nat (inside) 5 192.168.10.3 255.255.255.255

global (outside) 5 2.2.2.2

To make the NAT consistent?

Thank you!!

Federico.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Port redirection question

You are correct and this is your solution.

nat (inside) 5 192.168.10.2 255.255.255.255

nat (inside) 5 192.168.10.3 255.255.255.255

global (outside) 5 2.2.2.2

Now, why with just the static pat for outbound translation it doesn't get translated to 2.2.2.2

Think of this the server 192.168.10.3 going to google. Its source port for example is 33333 and the destination is 80 will it match your static?

static (inside,outside) tcp 2.2.2.2 25 192.168.10.3 2525

Absolutely not.

If you have this static 1-1

static (inside,outside) 2.2.2.2 25 192.168.10.3

Then it will work for both incoming and out going.

I hope I explained it such that you understand if perfectly.

-KS

2 REPLIES
Cisco Employee

Re: Port redirection question

You are correct and this is your solution.

nat (inside) 5 192.168.10.2 255.255.255.255

nat (inside) 5 192.168.10.3 255.255.255.255

global (outside) 5 2.2.2.2

Now, why with just the static pat for outbound translation it doesn't get translated to 2.2.2.2

Think of this the server 192.168.10.3 going to google. Its source port for example is 33333 and the destination is 80 will it match your static?

static (inside,outside) tcp 2.2.2.2 25 192.168.10.3 2525

Absolutely not.

If you have this static 1-1

static (inside,outside) 2.2.2.2 25 192.168.10.3

Then it will work for both incoming and out going.

I hope I explained it such that you understand if perfectly.

-KS

Re: Port redirection question

Perfect!

Thank you.

Federico.

786
Views
0
Helpful
2
Replies
CreatePlease to create content