Often the NAT rule that causes this will look like something like this: The side effect of this is that inbound packets destined to the outside IP will match this translation first, get dropped, and not proceed further down the table to match your new NAT line.
Portforward static ip manual#
Often this is because a manual NAT rule exists that performs PAT for outbound traffic (inside to outside) using the outside interface as the global PAT ip. Usually this means that an inbound packet matched a nat rule higher in the table and didn't proceed down to your nat rule you created to match this traffic. When we see inbound packets dropped and they are destined to the outside interface IP, and the syslog reads "UDP request discarded from.to outside: LocalASAOutsideIP/"
Ok, we're going farther down the rabbit hole here. Using the packet tracer tool to inject a sample packet into the ASA's outside interface, I can verify that the NAT rules I created are being hit appropriately and translating the packet!ĪSA# packet-tracer input outside udp 4.4.4.4 48483 1.1.1.20 9000 Note that the NAT statements I created start at #4, since I have three other NAT statements in my configuration that I've omitted from this example.Ĥ (inside) to (outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000 Using the 'show nat detail' command shows that these three nat statements I added to the configuration. Nat (inside,outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000
Note that even though the connections might be initiated INBOUND (meaning from hosts on the internet to the internal network), we'll define the translations from inside to outside.we could have made the translations from outside to inside (outside,inside) but defining the translations from the outbound perspective keeps things a bit simpler.
Then define the objects that represent the services that you want to translate.the key here is that they can include a range of portsįinally, define the manual NAT commands that will translate those port ranges from the local to the global IPs. This can be accomplished easily using the NAT syntax of ASA version 8.3 or greater:įirst, define objects that represent the hosts on the inside, and the global address on the outside I could find any way of configuring a static NAT that using the port range (50000-65500), and i'm not about to write 15000 static NAT statements.ĭoes anyone know how you can use the port range in the static NAT? I am curently running into the following problem with configuring static NATs and PATs.Īt some of our locations, the external IP's are mapped to internal IP's based on port ranges, and I can't find a way to replicate that on the ASA. I am in the process of replacing all of our checkpoint firewalls with Cisco ASA's. He was migrating the configuration to the ASA from another vendor. Recently the user Sami had a question about using the ASA to translate different ranges of ports from one external global ip to different internal (local) IP addresses.
0 kommentar(er)
