Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Source PAT translation

Hi there

I'm using a Cisco ASA 5510 and have a conneciton that needs to establish from the inside to the outside of the network.  The issue is the destination for the traffic requires a static source port for the traffic due to their company security policy.  Our appluication sourcing the traffic uses a random port when generating the traffic starting from 1024 to 65535.

I have prevously configured a linux box to to such a task where it changes the source port to the required value.  I am wondering if anyone has a confiugration example on how I could do this in an ASA usign either 8.2 or 8.3 ASA software.

the flow is below

                               INSIDE                                                        OUTSIDE

192.168.136.16  (random source port) ------->   ASA 5510  ---------> DEST IP (1.1.1.1) TCP port 2365

I need the source port to be 4000 as it leaves the outside interface of the ASA.  The outisde interface of the FW (10.1.4.190) is used when NATing the address I could however change this to a specific global address.

Any help would be appreciated.

Cheers
Donald Johson

Network Engineer

Airways NZ Ltd

2 REPLIES
Cisco Employee

Re: Source PAT translation

Hey Donald,

You can try using a Static policy PAT as below:

access-list POLICY permit tcp host 192.168.136.16 host 1.1.1.1 eq 2365

static (inside,outside) tcp interface 4000 access-list POLICY

I have a feeling that this command may not be accepted because in the access-list we do not have a "source port" parameter defined but give it a try anyways. Let me know how it goes!!

If it doesn't accept it, try using the below ACL instead:

access-list POLICY permit tcp host 192.168.136.16 gt 1023 host 1.1.1.1 eq  2365

Thanks and Regards,

Prapanch

Community Member

Re: Source PAT translation

Thanks Prapanch

Yeah I had a go at that type of configuration in 8.2 a couple of days ago and neither is accepted.  The issue is the POLICY ACL needs to define a local port and for the second option the ASA can't deal with port ranges which is a real bummer.

I downloaded ASA software version 8.3 this morning as it can handle object groups with the new way NAT is handled however I have been unable to devise a solution due to my inexpereince with this version.

I've tried the following;

object service AFTN-Dst
   service tcp destination eq 4000

!

object service AFTN-Source-Ports
   service tcp source range 1023 65535

!

object network DEV-AMS
  host 192.168.136.16

!

nat (inside,outside) source dynamic AFTN_CLIENTS interface service AFTN-Dst AFTN-Source-Ports

Using packet tracer the source port continue to remain the same;

packet-tracer input AMSa tcp 192.168.136.16 1259 1.1.1.1 2365


<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302013: Built outbound TCP connection 29 for DMZ:1.1.1.1/2365 (1.1.1.1/2365) to AMSa:192.168.136.16/1259 (192.168.136.16/1259)
<166>:Sep 14 16:48:09 UTC: %ASA-session-6-302014: Teardown TCP connection 29 for DMZ:1.1.1.1/2365 to AMSa:192.168.136.16/1259 duration 0:00:00 bytes 0 Free the flow created as result of packet injection

This configuration is completely new to me and I've not used 8.3 before today so its most likely wrong  .  Any ideas?

1582
Views
0
Helpful
2
Replies
CreatePlease to create content