NAT the Destination Port

Discussion in 'Cisco' started by vaughan.hickford@airways.co.nz, Sep 15, 2008.

  1. Guest

    I have a customer who would like to have the destination port changed
    from 162 to 90000 at the firewall. 162 is the destination port as seen
    by the agent on the PC. ie

    123.123.123.123.161 sends to 321.321.321.321 162.

    What they would like the firewall to do is forward the 161 port to the
    90000 port. What I see in the logging is161 still trying to hit 162
    even though the access-list on the firewall states 90000.

    I believe this can't be done unless you change the destination port on
    the sending PC.

    Is this true?

    I am using an ASA5510.
     
    , Sep 15, 2008
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >I have a customer who would like to have the destination port changed
    >from 162 to 90000 at the firewall. 162 is the destination port as seen
    >by the agent on the PC. ie


    >123.123.123.123.161 sends to 321.321.321.321 162.


    >What they would like the firewall to do is forward the 161 port to the
    >90000 port. What I see in the logging is161 still trying to hit 162
    >even though the access-list on the firewall states 90000.


    >I believe this can't be done unless you change the destination port on
    >the sending PC.


    >Is this true?


    >I am using an ASA5510.


    No, it isn't true. Use a "reverse static". I don't know the
    ASA syntax at the moment. The PIX 6 syntax would be:

    static (outside,inside) udp 321.321.321.321 162 321.321.321.321 90000

    Notice that static would -normally- have the interface order
    (inside,outside) and would -normally- have the information about
    the outside address first on the line. In reverse statics, the
    interface order and addressing order is swapped.
     
    Walter Roberson, Sep 15, 2008
    #2
    1. Advertising

  3. Guest

    Walter Roberson <> wrote:
    > No, it isn't true. Use a "reverse static". I don't know the
    > ASA syntax at the moment. The PIX 6 syntax would be:
    >
    > static (outside,inside) udp 321.321.321.321 162 321.321.321.321 90000
    >
    > Notice that static would -normally- have the interface order
    > (inside,outside) and would -normally- have the information about
    > the outside address first on the line. In reverse statics, the
    > interface order and addressing order is swapped.


    This might even work, at least if you take into account that port numbers
    are unsigned 16bit entities and you have to choose a port from that range..
    And since log_2(90000) > 16...

    Ciao Chris
    --
    All diese Momente werden verloren sein in der Zeit, so wie Tränen im Regen
    Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann <> IRC: DrDisk
    GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E
    Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum
    Adminjob dazugehören. [Lars Marowsky-Bree in d.a.s.r]
     
    , Sep 22, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shinhyuk
    Replies:
    5
    Views:
    9,181
    ishi_us
    May 22, 2009
  2. hdu
    Replies:
    3
    Views:
    4,211
  3. Steve H
    Replies:
    2
    Views:
    721
    Steve
    Jan 13, 2004
  4. Dave
    Replies:
    0
    Views:
    1,692
  5. Replies:
    1
    Views:
    5,787
    mcaissie
    Aug 31, 2006
Loading...

Share This Page