I'm using a Cisco ASA 5510 and have a conneciton that needs to establish from the inside to the outside of the network. The issue is the destination for the traffic requires a static source port for the traffic due to their company security policy. Our appluication sourcing the traffic uses a random port when generating the traffic starting from 1024 to 65535.
I have prevously configured a linux box to to such a task where it changes the source port to the required value. I am wondering if anyone has a confiugration example on how I could do this in an ASA usign either 8.2 or 8.3 ASA software.
the flow is below
192.168.136.16 (random source port) -------> ASA 5510 ---------> DEST IP (126.96.36.199) TCP port 2365
I need the source port to be 4000 as it leaves the outside interface of the ASA. The outisde interface of the FW (10.1.4.190) is used when NATing the address I could however change this to a specific global address.
Yeah I had a go at that type of configuration in 8.2 a couple of days ago and neither is accepted. The issue is the POLICY ACL needs to define a local port and for the second option the ASA can't deal with port ranges which is a real bummer.
I downloaded ASA software version 8.3 this morning as it can handle object groups with the new way NAT is handled however I have been unable to devise a solution due to my inexpereince with this version.
I've tried the following;
object service AFTN-Dst service tcp destination eq 4000
object service AFTN-Source-Ports service tcp source range 1023 65535
object network DEV-AMS host 192.168.136.16
nat (inside,outside) source dynamic AFTN_CLIENTS interface service AFTN-Dst AFTN-Source-Ports
Using packet tracer the source port continue to remain the same;
<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302013: Built outbound TCP connection 29 for DMZ:188.8.131.52/2365 (184.108.40.206/2365) to AMSa:192.168.136.16/1259 (192.168.136.16/1259) <166>:Sep 14 16:48:09 UTC: %ASA-session-6-302014: Teardown TCP connection 29 for DMZ:220.127.116.11/2365 to AMSa:192.168.136.16/1259 duration 0:00:00 bytes 0 Free the flow created as result of packet injection
This configuration is completely new to me and I've not used 8.3 before today so its most likely wrong . Any ideas?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...