Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Source PAT translation

Hi there

I'm using a Cisco ASA 5510 and have a conneciton that needs to establish from the inside to the outside of the network.  The issue is the destination for the traffic requires a static source port for the traffic due to their company security policy.  Our appluication sourcing the traffic uses a random port when generating the traffic starting from 1024 to 65535.

I have prevously configured a linux box to to such a task where it changes the source port to the required value.  I am wondering if anyone has a confiugration example on how I could do this in an ASA usign either 8.2 or 8.3 ASA software.

the flow is below

                               INSIDE                                                        OUTSIDE  (random source port) ------->   ASA 5510  ---------> DEST IP ( TCP port 2365

I need the source port to be 4000 as it leaves the outside interface of the ASA.  The outisde interface of the FW ( is used when NATing the address I could however change this to a specific global address.

Any help would be appreciated.

Donald Johson

Network Engineer

Airways NZ Ltd

Cisco Employee

Re: Source PAT translation

Hey Donald,

You can try using a Static policy PAT as below:

access-list POLICY permit tcp host host eq 2365

static (inside,outside) tcp interface 4000 access-list POLICY

I have a feeling that this command may not be accepted because in the access-list we do not have a "source port" parameter defined but give it a try anyways. Let me know how it goes!!

If it doesn't accept it, try using the below ACL instead:

access-list POLICY permit tcp host gt 1023 host eq  2365

Thanks and Regards,


Community Member

Re: Source PAT translation

Thanks Prapanch

Yeah I had a go at that type of configuration in 8.2 a couple of days ago and neither is accepted.  The issue is the POLICY ACL needs to define a local port and for the second option the ASA can't deal with port ranges which is a real bummer.

I downloaded ASA software version 8.3 this morning as it can handle object groups with the new way NAT is handled however I have been unable to devise a solution due to my inexpereince with this version.

I've tried the following;

object service AFTN-Dst
   service tcp destination eq 4000


object service AFTN-Source-Ports
   service tcp source range 1023 65535


object network DEV-AMS


nat (inside,outside) source dynamic AFTN_CLIENTS interface service AFTN-Dst AFTN-Source-Ports

Using packet tracer the source port continue to remain the same;

packet-tracer input AMSa tcp 1259 2365

<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302013: Built outbound TCP connection 29 for DMZ: ( to AMSa: (
<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302014: Teardown TCP connection 29 for DMZ: to AMSa: duration 0:00:00 bytes 0 Free the flow created as result of packet injection

This configuration is completely new to me and I've not used 8.3 before today so its most likely wrong  .  Any ideas?

CreatePlease to create content