Really confused regarding source NAT and Destination NAT in Cisco ASA.
I have a NVR in IP 10.10.20.20 and locally it is opened via http://10.10.20.20.
Remotely, i want this to be accessed via my public IP 201.202.203.204:8080.
So what i understand is, i have to port forward this port in this public ip.
Is it not destination nat?
What i use here is auto NAT:
Object network obj-10.10.20.20
host 10.10.20.20
nat(inside,outside) static interface service tcp 80 8080
And with Manual NAT:
We create objects.
Object network obj-10.10.20.20
host 10.10.20.20
similarly, for ports:
object service port-80
service tcp source eq 80
object service port-8080
service tcp source eq 8080
So, NAT command would be like:
nat(inside,outside) source static obj-10.10.20.20 interface service port-80 port-8080
And access rule would be:
access-list access-list-name extended permit tcp any host 10.10.20.20 eq http
Is it not that port-8080 should have been the destination port? After all, we are opening the ports 8080 for remote users.
Please clearify when it becomes source port and when it becomes the destination port.
Thank you in advance.
Best Answer
When you configure a static PAT rule with (inside,outside), this actually creates a persistent connection in your NAT table that is bidirectional between the two specified interfaces. You can see this with
show xlate. This makes it so you don't need to create two NAT rules for a static PAT rule. With one rule handling inbound traffic to the outside interface and the other handling inbound traffic to the inside interface. You can create a unidirectional static NAT rule by adding theunidirectionalstatement at the end of you NAT statement to override this behavior.With the ASA 8.3+ NAT syntax, we use all real IP addresses and ports. I just think of it as the NAT translation happens before your inbound ACL is applied.
Josh