IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 04-06-2017 7:33 AM by aruncie. 0 replies.
Page 1 of 1 (1 items)
Sort Posts: Previous Next
  • 04-06-2017 7:33 AM

    Multiple Port Forwarding with NAT ASA 9.3

    Hi all,

    I have a setup where I have 2 different internal devices that need to share the same external IP, but I want inbound traffic from external sources to go to one of the two different devices based on what destination ports are being used. 

    Device 1:
    Internal IP
    Listening on ports: TCP/UDP 80, TCP/UDP 8000, TCP/UDP 8001

    Device 2:
    Internal IP
    Listening on ports:  UDP 18000, UDP 19000

    External Shared IP

    So basically, if an outside source navigated to at any of the TCP/UDP ports of 80, 8000, or 8001 they'd land on Device 1, but if they navigated to at any UDP ports 18000 or 19000 they'd land on device 2.

    I'm running ASA 9.3 code, and I see where I can do object nat and add the "service tcp" options, such as below:

    object network DEVICE1_REAL
     nat (inside,outside) static service tcp 80 80

    ...but this only lets me specify the one service (in this case, TCP port 80).

    So next I tried to set it up with object groups as below:

    object-group service DEVICE1_SERVICES
     service-object object TCP_80
     service-object object UDP_80
     service-object object TCP_8000
     service-object object UDP_8000
     service-object object TCP_8001
     service-object object UDP_8001

    object-group service DEVICE2_SERVICES
     service-object object UDP_18000
     service-object object UDP_19000

    And then do a static nat configuration:

    nat (inside,outside) source static DEVICE1_REAL  DEVICE1_TRANSLATED service DEVICE1_SERVICES.... gives me an error stating that have to use a single service object at the end there, not a service GROUP.

    So, I guess my question is - is there any way to accomplish this on ASA to where I don't have to have a separate NAT statement for each and every service I need translated?  I have 48 total devices I need to do this with, and trying to keep the config under control.

    • Post Points: 5
Page 1 of 1 (1 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved