ASA PAT UDP source port

Is there a way to preserve the source port for UDP packets that use a PAT pool?
Here is what I need:
The client (1.1.1.1) sends a UDP packet from port 5060 to port 5060 on our external 2.2.2.2. This packet is port forwarded to our internal server 10.10.10.10 with the original source and destination port. The server then sends a UDP response to the client from port 5060 to port 5060. The server is in a PAT pool that only contains the address 2.2.2.2. The ASA changes the source port and our client ends up rejecting the packet because the source port is not what it expected.
How can I preserve the original source port when the packet goes through the PAT pool?
Thanks,
Steven

Hi,
Well you could probably make this work for the outbound direction BUT in the inbound direction from the Internet I dont think the is really a way to use the same public IP address and public UDP port.
I mean, the ASA doesnt have any way to determine what traffic on destination port UDP5060 to destination IP 2.2.2.2 would have to be forwarded to which internal IP.
It would simply use the first rule matched always.
But as I said for the outbound direction it might work.
You would simply add another similiar NAT statement with different source object with different source IP address. ASA would again accept the command but give an warning about rule overlap.
I guess the below added would work for the outbound direction IN THEORY
object network HOST-1
host 10.10.11.11
object network HOST-2
host 10.10.11.12
nat (inside,outside) source static HOST-1 interface service UDP5060 UDP5060
nat (inside,outside) source static HOST-2 interface service UDP5060 UDP5060
But not for inbound, though if I understood correctly, the inbound traffic should only even go to a single virtual IP
I would imagine this is as close as you can get to "implementing" something wierd on the ASA
- Jouni

Similar Messages

  • Cisco ASA, skipping real source port number with PAT.

    Hi Experts,
    Cisco ASA configuration guide says:
    "PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. "
    Is it possible to skip this ? I do not want to use real source port number. The issue is, when I have a PAT entry with real source port (port 5060), - SIP session doesn't work. With all the other ports numbers,- everything works.

    Hi,
    Notice that the configuration you try does not modify the real source port at all.
    Since you are using the same "object" for the real/mapped service then the configuration above matches traffic where the connections destination is "any" and the destination is "udp 6000 65535" and only when the source is "udp sip" and in that event it keeps the exact same "udp sip" source port as you are using the same "object".
    I am not sure if its a software or configuration related issue but I have not gotten this to work reliably on my ASA. I might have to try some other software level.
    I guess you would want to match the SIP source port in the Dynamic PAT and avoid using the SIP port as the mapped port?. With that in mind I was thinking something like this
    object service UDP-SIP
     service udp source eq sip
    object service UDP-SIP-MAPPED
     service udp source range 30000 31000
    nat (VoiP,outside) source dynamic <source network object> interface service UDP-SIP UDP-SIP-MAPPED
    Though it seems the above configuration seems to be bypassed by the ASA completely and it seems to use the identical source port as the mapped port even though it matches the configuration.
    If I were to change the above configuration from "dynamic" to "static" then the configuration matches but it uses only the first mapped "source" port of "30000". I guess it would only use a different mapped port if you used multiple real source ports also instead of the current single source port "sip".
    nat (VoiP,outside) source static <source network object> interface service UDP-SIP UDP-SIP-MAPPED unidirectional
    Example from my own ASA.
    DYNAMIC
    - Matches the configuration but doesnt map the port at all
    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source dynamic LAN-NETWORK interface service SIP SIP-MAPPED
    Additional Information:
    Dynamic translate 10.0.0.123/5060 to <my pat ip>/5060
    STATIC
    - Matches the configuration and maps the source port but only uses the first mapped port from the range
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source static LAN-NETWORK interface service SIP SIP-MAPPED unidirectional
    Additional Information:
    Static translate 10.0.0.123/5060 to <my pat ip>/30000
    I am not really sure if this configuration is reliable at all but its the only thing I can think of at the moment.
    Hope this helps :)
    - Jouni

  • Advanced ASA PAT configuration...

    I have a unique requirement for my ASA PAT configuration...
    By default a Cisco router running IOS will utilize the SAME port when creating a dynamic PAT. i.e. the inside hosts request, generates a dynamic PAT, where the requests source port, is the port which is translated to the inside host from the outside interface.
    The ASA ignores the inside hosts source port, and maps the PAT using its own random port above 1024.
    I would like to over-ride this default behavior and instruct the ASA to use the same port for PAT that was the inside host's initiated source port.
    TIA for any help,
    Travis

    The document present in the url below will of great help to you in defining the port number manually:
    http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htpt4pat.html#wp1049437

  • Preserve Source Port through NAT

    Hi All,
    We are having problems with some of our NAT translations. We need to router to preserve the source port of the outbound connection, but instead it is generating a random source port for each translation (highlighted in bold):
    udp  217.x.x.x:17127  192.168.55.71:8061    84.x.x.x:8060     84.x.x.x:8060
    I believe the port-randomisation feature was brought in with IOS 12.4, but I don't think I can disable this feature on the IOS I am using. Is there any way I can create a static translation which preserves the source port? Any help would be greatly appreciated.
    Plaform: cisco ASR1002
    IOS: 15.4(3)S2

    These are for phones on the internal network, they will be contacting a remote server, and each phone has been configured to use a unique source port for the outbound connection. This allows the server to identify each individual phone when the connection comes in (it also means that no two phones should be using the same source port, so PAT should have no need to alter these).
    The translation you mentioned would appear to create a static inbound translation, forcing all inbound connections on 8061 to the same port on an internal host, I'm trying to achieve the opposite, forcing a the outbound connections source port to not be altered. 

  • Setting the local/source port in SIP responses

    Oracle/Weblogic SIP server picks up 'random' local or source port when sending SIP responses. This is a problem for
    one of our load balancer. Can we make it use '5060' or some 'constant' port number instead of 'random' behavior ?
    Any help would be appreciated.
    Thanks,
    Krishna V

    Yes..
    SIP Server network channels provide a SourcePorts attribute that you can use to configure one or more static ports that a server uses for originating UDP packets.
    Snippet from config.xml
    <network-access-point>
    <name>sip</name>
    <protocol>sip</protocol>
    <listen-port>5060</listen-port>
    <public-port>5060</public-port>
    <custom-properties>SourcePorts=5060</custom-properties>
    </network-access-point>

  • How do I NAT based on destination port while source port can be ANY

    Goal - I want to forward Internet bound HTTP and HTTPS traffic  to a Proxy via an IPSEC Tunnel - I want to maintain my private IP as it goes accross the IPSEC Tunnel - I also want remaining Internet Traffic to route Normally by NATing to my outside address.
    In 8.4 this is quite easy as I can specify a destination port and have "any" source port for the NAT
    Here is a snap shot of the config:
    object service Proxy_HTTP
    service tcp destination eq www
    object service Proxy_HTTPS
    service tcp destination eq https
    nat (inside,outside) source static any any service Proxy_HTTP Proxy_HTTP
    nat (inside,outside) source static any any service Proxy_HTTPS Proxy_HTTPS
    object network Non_Proxy
    nat (any,outside) dynamic interface
    PROBLEM: I need this behavior in 8.2.x  - I have found no way to mimic this.
    You cannot use NAT Exemption as it cannot be port based
    A static policy NAT with Access list will not work as you must specify a single source port - Since there is no way to predict the source port this wont work.
    I don't see any of the other NAT Types working this way.
    If there is a way to make this work in 8.2 please let me know - We have many ASAs and we are not ready to make the leap to 8.4 but we need to use the proxy.

    Karen-
    Results: Did not work. The web based shortcuts did not appear.
    Below is the steps taken with your tips incorporated. (Again it's lengthy sorry about that, but anyone can recreate what was done here. Maybe someone can see something left out by doing/reviewing it).
    Here is what was done:
    1. Installed a fresh install of Windows 8.1 enterprise on a pc. No updates were ran.
    2. During setup created the admin account.
    3. Logged into the account a simple start screen was arranged and setup by:
    Starting desktop Internet Explorer. Going to Technet's website. Clicked tools and then selecting "Add site to Apps" from the drop down menu. Went to Apps screen, right clicked and pinned it to start screen. Repeated this procedure with an
    educational web based site.
    Right clicked a few provisioned apps and unpinned them from the start screen.
    Made a few groups and labeled them. Web based shortcuts were arranged with one provisioned app in that particular group.
    4. Opened a Powershell, right clicked it and ran as administrator. Typed the following:
    export-startlayout -path C:\Users\Public\Master.xml -as xml
    (Master is the name chosen for this test .xml file and was put in a location all users would have privelages to access it).
    5. Opened the command prompt and right clicked and "ran as administrator", typed in gpedit.
    6. In the Local Group Policy under User Configuration, under Start Menu and Taskbar I choose the Start Screen Layout.
    7. Enabled the policy and typed in: C:\Users\Public\Master.xml for the Start Layout File.
    8. Opened computer management, under Local Users and Groups I chose Users, right clicked in the middle screen and created a new user called Alpha.
    9. Logged out of the inital account and logged into newly created Alpha account.
    10. When the Alpha account logged in the start screen came up with everything changed in the inital account but no web based shortcuts were found on the start screen or App view.

  • Received response from host (router IP address) with invalid source port 32784

    I replaced my old wireless router with a Cisco Linksys E4200, running firmware version 1.0.02 build 13  May 24, 2011.  About once a minute the router sends an unsolicited DNS message to the IPV4 multicast address 01:00:5e:00:00:fb with a destination IP address of 224.0.0.251.  The unsolicited message is a DNS response with source port 32784, transaction ID 0, flags 0x8400 (standard query response, no error), questions 0, answer RRs 2, authority RRs 0 and additional RRs 1.  The two answers both relate to the router itself: one has Name Cisco18738.local, type A (host address), class 1 (IN), cache flush true, time to live 1 minute, data length 4, and the address of the router.  The other is the reverse of the same address.  The additional record is for Cisco18738.local, type NSEC, class IN, cache flush true, time to live 1 minute, data length 5, next domain name Cisco18738.local, RR type A (host address).
    When my desktop computer receives these messages it logs an error, for example: "Jun 23 07:39:22 sauterws02 avahi-daemon[1067]: Received response from host 10.146.9.1 with invalid source port 32784 on interface 'eth0.0'"  The 10.146.9.1 is the router's IP address.  I also see these messages on the wireless link from my laptop.
    I suppose the E4200 is generating these DNS messages in a misguided attempt to make sure there is no old information about its name.  Is there a way to turn them off?  If not, is there a way to report this to Cisco as a bug?
    Solved!
    Go to Solution.

    gv wrote:
    1. To contact Linksys, call support.
    2. From the internet draft: "Multicast DNS implementations MUST
    silently ignore any Multicast DNS Responses they receive where the
    source UDP port is not 5353." Your avahi-daemon does not comply with this draft.
    Thank you for the reference.  For the sake of others who may read this thread, the current draft of multicast DNS is at http://www.ietf.org/id/draft-cheshire-dnsext-multicastdns-14.txt. 
    Here is the whole paragraph from which you quoted, from section 6 (Responding): "The source UDP port in all Multicast DNS Responses MUST be 5353 (the well-known port assigned to mDNS). Multicast DNS implementations MUST silently ignore any Multicast DNS Responses they receive where the source UDP port is not 5353."
    Thus, it appears that there are two errors here: the Cisco E4200 is not using 5353 as the source port, and the logger is not silently ignoring it.
    The message appears to be an announcement rather than an actual response to a query.  In section 8.3 (Announcing) I found this paragraph: "A Multicast DNS Responder MUST NOT send announcements in the absence of information that its network connectivity may have changed in some relevant way. In particular, a Multicast DNS Responder MUST NOT send regular periodic announcements as a matter of course."  Thus, it appears that there are three errors here.

  • Cisco ASA 5510 and Spiceworks port forward

    So you want to set up a static NAT from 207.123.123.123:9876 to 192.168.0.11:9876. (I assume you're keeping the same port on the public interface.)
    Here's a link to a how-to for setting it up. (I'm headed out the door for the weekend. Sorry!) Hope this helps.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/na..
    Skip down to the section "Configuring Static NAT or Static NAT-with-Port-Translation"

    I know this topic has been beaten to death, but I'm rather green with firewalls and would like some guidance with why my config is not working. I'm using ASDM 6.4.
    My public address is 207.123.123.123 (simplified for this example)
    My Spiceworks server is 192.168.0.11 (SpiceServer)
    My SpiceServer SSL port for SW is 9876
    I've created a NAT for SpiceServer to Any Outside connection. I've created an access rule for Outside where Any is destined for SpiceServer and I created a Service Group for TCP-UDP for Port 9876.
    Where am I going wrong (besides everywhere)??
    This topic first appeared in the Spiceworks Community

  • Cisco AS5400 SIP Trunk source port ?

    Hello,
    Is there a command to fix the trunk signaling source port to 5060 in the Cisco AS5400XM ?
    Thanks,

    hi,
    what's the exact issue?
    IOS  can use random port as source port on SIP request.
    However if you are running 12.3 then you cannot set it to one port.
    Later 12.4(5a) and 12.4(6)T have following hidden command.
    (config-sip-ua)#connection-reuse
    This command sets used source port to SIP listen port.
    It sets it to udp port 5060
    Hope this helps!!
    Thanks,
    karthik

  • Source port type for BPELProcess does not match target port type for EJB

    Hi gurus,
    I have a problem with calling EJBs from a 11.1.1.3 composite. The following summarizes the issue:
    - there are several EJBs within the same package deployed on a WLS server.
    - these beans have method names that are the same, for example create(), delete() etc.
    - using the EJB Service Adapter I have created 3 References, one for each of the 3 beans I need to invoke in a BPEL process.
    - each bean is imported into the project with their own *.wsdl *Ref.wsdl files.
    - each wsdl imports a namespace based on the java package name
    - now i have 3 wsdls, importing the same namespace and namespace conflicts arise.
    At this point I'm thinking, 'no problem, just change the namespaces manually'
    - whenever i try to change the namespace that JDev gives the Reference components I end up with the compilation error:
    Source port type for "BPELProcess" does not match target port type for "EJBRef"
    It seems that the namespace must be the same as the package name, even though I resolved all the references to the new namespaces and ensure they all match.
    The problem appears to be in the BPELProcess.componentType file.
    <reference name="HelloEJBRef" ui:wsdlLocation="HelloEJBRef.wsdl">
    <interface.wsdl interface="http://package.workspace.com/HelloEJB#wsdl.interface(HelloEJB)"/>
    </reference>
    If the namespace (text before the #) is changed at all from the default, even if it matches the wsdl, results in the port type mismatch error above.
    Any ideas?
    btw, running SOA 11.1.1.3, JDev 10.1.1.3, EJB 3.0

    Hi gurus,
    I have a problem with calling EJBs from a 11.1.1.3 composite. The following summarizes the issue:
    - there are several EJBs within the same package deployed on a WLS server.
    - these beans have method names that are the same, for example create(), delete() etc.
    - using the EJB Service Adapter I have created 3 References, one for each of the 3 beans I need to invoke in a BPEL process.
    - each bean is imported into the project with their own *.wsdl *Ref.wsdl files.
    - each wsdl imports a namespace based on the java package name
    - now i have 3 wsdls, importing the same namespace and namespace conflicts arise.
    At this point I'm thinking, 'no problem, just change the namespaces manually'
    - whenever i try to change the namespace that JDev gives the Reference components I end up with the compilation error:
    Source port type for "BPELProcess" does not match target port type for "EJBRef"
    It seems that the namespace must be the same as the package name, even though I resolved all the references to the new namespaces and ensure they all match.
    The problem appears to be in the BPELProcess.componentType file.
    <reference name="HelloEJBRef" ui:wsdlLocation="HelloEJBRef.wsdl">
    <interface.wsdl interface="http://package.workspace.com/HelloEJB#wsdl.interface(HelloEJB)"/>
    </reference>
    If the namespace (text before the #) is changed at all from the default, even if it matches the wsdl, results in the port type mismatch error above.
    Any ideas?
    btw, running SOA 11.1.1.3, JDev 10.1.1.3, EJB 3.0

  • ACE: Can I loadbalance based on client Source IP/and client tcp source port?

    We recently migrated serving a client from being thick client at the desktop to being served via a citrix farm.  Prior to the migration the clients came from about 5000 unique source IP's to their VIP, now they come from only 31 unique source IP's from the citrix servers in the farm. A citrix server can host 400 client sessions, since the default action of the ACE is to loadbalance based on source IP's, the ACE is sending up to 400 sessions from one citrix server to 1 real server in the farm.  Is there anyway I can loadbalance based on client source IP and tcp source port so the ACE views the 400 sessions from one citrix server as unique sessions?  The application does not require persistence.

    Hello,
    Yes, you can configure a "Sticky Layer 4 Payload" as descirbed on this Link:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/sticky.html#wp1039276
    Unfrotunately I do not have any working example. You must calculate the right values for the Offset and the Length to configure.
    Regards Jean-Marc

  • New command for radius-server source-ports

    I am trying to find the new command fro radius-server source-ports 1645-1646 since it appears to be depricated.  We use tacacs so we do not have the radius server specified but we do need to put in the ports.  Can someone please tell me the new command for radius-server source-ports?
    Thanks

    Both of the links that Peter posted are interesting and helpful. I would like to take a slightly different approach in answering your question.
    In every version of IOS there are certain commands that get inserted into running-config when a particular feature is activated. It looks like in your version the radius-server source-ports is one of those commands. I do not think it is anything that you should be concerned about.
    And I do not believe that having the radius-server source-ports command would prevent TACACS from working. I believe that there is likely to be some fault in your configuration. If you would post the aaa parts of the config then maybe we could see what the problem is.
    In my experience configuring aaa some of the common problems include not correctly identifying the TACACS server, not having exactly the same key configured on the Cisco device and the TACACS server, not having connectivity to the TACACS server (can the Cisco device ping the server, and can the server ping the device), or errors in the authentication or authorization prameters specified.
    Post some information and we will see what we can do.
    HTH
    Rick

  • Not able to remove "radius-server-source-port-1645-1646"

    Hii Guys! I'm trying to remove the "radius-server-source-port -1645-1646" command but it's not happening.. Command executes but it's still showing up in running configuration...... It's on 2960 switch running 12.2 lanbasek9 IOS.

    Hmm..... That's not the case.... Tried this already
    Even I've seen its kinda default command in some old IOS....... But not getting a firm URL or link to confirm it..... So not sure if it's issue with IOS or something else

  • Idoc sending program from source port

    Hi Experts,
      I am sending the Idoc through customized program. I am getting the status 03 & 30. successfully sent to external system.
    Is there any standard program to send the Idoc from source port to destination port.
    Thanks and regards,
    Venkatraman.N

    Run RBDMOIND, then idoc will get the status 12 -Dispatch ok. status 12 is the confirmation that idoc was reached target system.
    Reddy

  • Is it dangerous if I expose UDP 1434 port of SQL 2008R2 server in Azure VM to the Internet ?

    I am setting up client/server Application running on SQL2008 server on Azure VM.
    Is it dangerous if I  expose UDP 1434 port of SQL 2008R2 server in Azure VM  to the Internet ?

    I do not get your answer exactly , but you mean "That is a much bigger issue from a security perspective." this is dangerous to expose SQL server connection port to the Internet ?
    Application uses named SQL instance , so it needs UDP 1434 port to connect to SQL server.
    Exposing any server to a network is dangerous.  Exposing a server to the public internet is more risky than connecting to a private network.  You cannot eliminate risk but it can be mitigated.
    An inherent risk with exposing the SQL Server port is that any client with network connectivity can then try to compromise security, commonly with a dictionary attack.  A malicious user can then gain access to the database limited only by
    the compromised account security context.
    There are several steps you can take to mitigate this risk.  To name a few, allow only trusted IP addresses through the firewall.  Run only those services actually needed.  Expose only those ports needed.  Rename the sa login. 
    Assign strong passwords to all accounts.  Keep all software up-to-date with security patches.  Use a service layer to access database services instead of directly from front-end clients.
    In your case, you can hard-code the named instance port in connection strings instead of using the SQL Browser service.  Your connection strings do not need to specify the instance name with this technique and UDP 1434 is not needed for connectivity. 
    Dan Guzman, SQL Server MVP, http://www.dbdelta.com

Maybe you are looking for

  • RH7: Project only showing Times New Roman in fonts dropdown

    Hi, I'm having trouble with a project that was just fine a few weeks ago. At the moment, the only option in the font selection dropdown is "Times New Roman"... a lovely font, but we write our documentation in Arial, so we kinda need that At the momen

  • So many problems... My MacBook Pro is full and I'm terrified I'm going to lose all of my photos and music.

    Where to even begin with the problames I'm having!?  I have a MacBook Pro  OS X 10.5.8, an iMac OS X 10.5.8, a 500GB Time Capsule, and an iPhone 4s. I know just enough about all of them to basically get myself into trouble... And It seems I have done

  • Oracle Fusion 11g Vs Oracle Fusion 10g

    Hi, What are the major changes and how complex or simple they made it in Fusion 11g over Fusion 10g? Please share this knowledge. Thanks.

  • SSIS -Move multiple dynamic file

    Hi Experts, I am working on SSIS 2008 I have a requirement where I need to move file from One folder to Other  i.e. from File_source folder to File_Destination folder I have Table in SQL Database , Table Name is File_name_tbl and column is File_Name.

  • App launcher gone even after "killall Dock", etc

    My app launcher disappeared and it will not come back even after removing the db file in ~/Library/Application Support/Dock and entering "killall Dock". The dock keeps coming back without the launcher and a new db file shows up in ~/Library/Applicati