NAT the Destination Port

- V
- vaughan.hickford
  
  Contact options for registered users
posted
15 years ago

Mon, Sep 15, 2008 11:07 AM

I have a customer who would like to have the destination port changed from 162 to 90000 at the firewall. 162 is the destination port as seen by the agent on the PC. ie

123.123.123.123.161 sends to 321.321.321.321 162.

What they would like the firewall to do is forward the 161 port to the

90000 port. What I see in the logging is161 still trying to hit 162 even though the access-list on the firewall states 90000.

I believe this can't be done unless you change the destination port on the sending PC.

Is this true?

I am using an ASA5510.

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Mon, Sep 15, 2008 2:45 PM

No, it isn't true. Use a "reverse static". I don't know the ASA syntax at the moment. The PIX 6 syntax would be:

static (outside,inside) udp 321.321.321.321 162 321.321.321.321 90000

Notice that static would -normally- have the interface order (inside,outside) and would -normally- have the information about the outside address first on the line. In reverse statics, the interface order and addressing order is swapped.

- D
- drdisk
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Mon, Sep 22, 2008 9:48 AM

This might even work, at least if you take into account that port numbers are unsigned 16bit entities and you have to choose a port from that range= . And since log_2(90000) > 16...

Ciao Chris

--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]