I need help on project my client with respect to some NAT rules that need to be created in a context of the FWSM that the client is
According to customer demand, there are two types of connections that need to be released. We conducted some tests using policy NAT but unfortunately we could not create the rules and therefore need your help.
I'll try to explain what client need according to the e-mail client below:
- Due to conflicts of IPs, we have customers that address on outside interface, the IP 192.168.8.3 and other IP 192.168.8.4 on port 3017/TCP
- The firewall should do static NAT and redirect those connections to the IP address 10.2.64.4 port 3017. configure the following NAT and static NAT policy for this situation without problems:
You can identify overlapping addresses in other nat commands. For example, you can identify 10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NATcommand in order, until the first match, or for regular NAT, using the best match.
See the following description about options for this command:
–access-listacl_name—Identify the real addresses and destination addresses using an extended access list. Create the extended access list using the access-list extended command (see the "Adding an Extended Access List" section on page 12-6). This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT and static NAT consider the inactive or time-range keywords and stop working when an ACE is inactive.
#### Now, this rule could set up without problems, but the NAT is not being mounted. What I realized when creating the static NAT with nat policy without informing the protocol (TCP or UDP) and port access, the firewall does not mount the NAT. If the static is created with the protocol and port configuration have a conflict with the first rule created:
access-list NAT_3017_3017 extended permit tcp host 10.2.64.4 eq 3017 any range eq 1 65535
Any suggestions? Actually you can play this setup?
The setting range of port created in the ACL, it is necessary because when the connection is established by any outside source, the source IP uses random port. Therefore it was necessary to set up this way.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...