Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Port Redirection

Am I correct in thinking that Port Redirection should only be used when the return traffic (from the inside server sending back out to the internet) will be sent back on the IP address it was recieved on. So for instance traffic is sent to it is recieved by the firewall and sends telnet traffic to one server and FTP to another but when either server respond to the internet traffic they PAT to Therefore it would not be valid configuration to have traffic port redirected to a server that already has a NAT on the firewall as the traffic will be sent back out using the NAT address and could be blocked by the senders firewall as it will be seen to come from a different IP address than what it was sent to?

Thanks in advance!


Re: Port Redirection

static PAT takes precedence over nat overloading. so your servers should respond from the same IP/port as is in the static PAT statement.

if traffic is originated from a server (eg general internet traffic like www), then NAt overloading applies, not static PAT.

if you have static pat configured for ftp, for instance, incoming ftp will work just fine, and the server will respond using the static pat address/port combination.

Community Member

Re: Port Redirection

okay, so if a connection is port redirected the return traffic will also go out on that port correct?..

Therefore hypothetically if it returned it on the NAT'd address this would cause issues correct?

Community Member

Re: Port Redirection

does static NAT take precedence over static PAT?


Re: Port Redirection

you can't even configure both simultaneously.

asa(config)# static (inside,outside)

asa(config)# static (inside,outside) tcp 3389 3389

ERROR: duplicate of existing static

inside: to outside: netmask

CreatePlease to create content