Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static Port Address Translation 8.4

Hello Experts,

Is the static Port Address Translation is bidirectional in 8.4 ???

I have configured static port address translation for the 2 server with same Public IP for the port 80 and 23. The strange thing is when they initiate a connection to the outside world they are allowed access to the internet as they are not included in the Dynamic Port address translation pool.

object network inside network.

subnet 192.168.10.0 255.255.255.0

Can anybody help me.

Thanks

15 REPLIES

Static Port Address Translation 8.4

Please post your configuration.

New Member

Re: Static Port Address Translation 8.4

ciscoasa(config-network-object)# sh running-config

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.20.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

object network all

subnet 192.168.10.0 255.255.255.0

object network static

host 2.2.2.2

object network PAT

host 10.10.10.1

access-list outside extended permit tcp any host 2.2.2.2 eq telnet

access-list outside extended permit tcp any host 10.10.10.1 eq www

pager lines 24

logging enable

logging buffered notifications

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover  

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!            

object network all

nat (inside,outside) dynamic 192.168.20.5

object network static

nat (inside,outside) static 3.3.3.3 service tcp telnet telnet

object network PAT

nat (inside,outside) static 3.3.3.3 service tcp 8080 www

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.20.2 1

route inside 2.2.2.0 255.255.255.0 192.168.10.2

route inside 10.10.10.0 255.255.255.0 192.168.10.2

Static Port Address Translation 8.4

Hello Estela,

You are doing port-forwarding, this kind of nat is just for inbound connections.

Static will always be bi-directional, port-forwarding will be for communications innitiated on the lower security level interface.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Static Port Address Translation 8.4

yes correct ,

But when these server initiate a connection by what IP they will go out.??/

Tx

Re: Static Port Address Translation 8.4

Hello,

Will use the PAT ip address : 192.168.20.5

Regards,

Do rate helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Static Port Address Translation 8.4

yes,

This is my concern, this is what not happening just see the logs below. I just initiate a connection from these servers and it is successful though their addresses are not included in PAT pool, still they are going out, how come??????????????

ciscoasa(config)# sh conn

1 in use, 10 most used

TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:00:12, bytes 149, flags UIO

ciscoasa(config)# sh xlate

2 in use, 4 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23

    flags sr idle 0:41:35 timeout 0:00:00

TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80

    flags sr idle 0:02:29 timeout 0:00:00

ciscoasa(config)# sh local-host

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <10.10.10.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO

Interface outside: 1 active, 5 maximum active, 0 denied

local host: <1.1.1.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:14811, idle 0:01:01, bytes 149, flags UIO

Tx

Re: Static Port Address Translation 8.4

Hello Estela,

I see what you are saying,

Can you provide the following packet-tracer

packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80

Regards,

Do please rate helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Static Port Address Translation 8.4

Hello,

U need the captured packets, from inside to outside, if i m not wrong.

I did'nt understood the below line, i dont have the following IP's in my network, i hope it is an example.

packet-tracer input inside tcp 192.168.10.5 1025 4.2.2.2 80

Tx

Re: Static Port Address Translation 8.4

Hello Stela,

This will show us all the nat rules, acl, routes that the traffic for that host is hitting, of course is an example. you can use any host on that network.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Static Port Address Translation 8.4

Hello Dears

Packet tracer for the Static port redirection server IP's.

ciscoasa(config)# sh conn

1 in use, 1 most used

TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:09, bytes 149, flags UIO

ciscoasa(config)# sh xlate

2 in use, 3 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23

    flags sr idle 2:11:34 timeout 0:00:00

TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80

    flags sr idle 2:11:34 timeout 0:00:00

ciscoasa(config)# sh local-host

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <2.2.2.2>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO

Interface outside: 1 active, 1 maximum active, 0 denied

local host: <1.1.1.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 2.2.2.2:28826, idle 0:00:21, bytes 149, flags UIO

ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 28826 1.1.1.1 23    

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 15, using existing flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: allow

#####################################################################################

ciscoasa(config)# sh conn

1 in use, 1 most used

TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:18, bytes 149, flags UIO

ciscoasa(config)# sh xlate

2 in use, 3 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:2.2.2.2 23-23 to outside:3.3.3.3 23-23

    flags sr idle 2:15:10 timeout 0:00:00

TCP PAT from inside:10.10.10.1 8080-8080 to outside:3.3.3.3 80-80

    flags sr idle 2:15:10 timeout 0:00:00

ciscoasa(config)# sh local-host

Interface management: 0 active, 0 maximum active, 0 denied

Interface inside: 1 active, 2 maximum active, 0 denied

local host: <10.10.10.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO

Interface outside: 1 active, 1 maximum active, 0 denied

local host: <1.1.1.1>,

    TCP flow count/limit = 1/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 0/unlimited

  Conn:

    TCP outside 1.1.1.1:23 inside 10.10.10.1:31862, idle 0:00:36, bytes 149, flags UIO

ciscoasa(config)# packet-tracer input inside tcp 10.10.10.1 31862 1.1.1.1 23

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 17, using existing flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: allow

Thanks

Static Port Address Translation 8.4

Post full trace all phase.

Re: Static Port Address Translation 8.4

Hello Estela,

You are using an exisiting flow for the packet tracer that is not what I am looking for.....

I want you to do the following packet tracer please!

packet-tracer input inside tcp 10.10.10.1 1025 1.1.1.1 23

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Static Port Address Translation 8.4

The source port what i m using is 23 and the destination is also 23 , Is it OK or i m wrong.Please correct if this is not enough.

In such case when i don't know the source port what i shld use.

ciscoasa(config)# packet-tracer input inside tcp 2.2.2.2 23 1.1.1.1 23

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network static

nat (inside,outside) static 3.3.3.3 service tcp telnet telnet

Additional Information:

Static translate 2.2.2.2/23 to 3.3.3.3/23

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2368, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Re: Static Port Address Translation 8.4

Hello Estela,

You need to use a random port, but for this monitoring purposes its okay, I saw what I was looking for.

That traffic is hitting the static rule, seems like on ASA version 8.3 and prior the static port-forwarding will be taken biderectional.

Are you looking for just inbound connections or it is okay if its bi-derectional?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Static Port Address Translation 8.4

Tx Julio,

Suppose if i m looking only inbound then what i have to do??

Thanks

2475
Views
0
Helpful
15
Replies