Bi-directional access test and understanding of ASA static Pat

I. Overview:

Static PAT is generally used in external access to the external IP of a port mapping to the internal host service port, so that the external host by accessing the external IP port, it can easily access to the internal host service (need policy release), but see "Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 documents, the static Pat, like Static Nat, is also bidirectional and confusing as it is intended to be validated in actual testing.

Two. Basic ideas:

A. Static Pat from the external access intranet, is often used, the main need to verify from the internal access is whether the address translation.

B. Because the source ports for TCP and UDP access are random, greater than 1023, and are not normally specified.

---therefore need to find a program that can specify the source port

---in the actual work of a company developed by the use of Windows Syslog Send tool can specify the source and destination port, which is used to test.

C. The test environment is:

---Mapping the UDP 514 port of the external interface to a UDP514 of an internal host

①. Sends the syslog from the external host to the external interface UDP514 to verify the target address translation.

②. From the internally mapped host to the external host to send Syslog, when sent to specify the source port and Target port is 514, in the external host grab packet, see whether the source address conversion.

③. And incidentally verify that the static Pat priority is higher than the dynamic pat.

D. Actual static Pat This two-way access is of little use, because the source port is difficult to manually specify, like the external interface of the TCP23 static Pat to the internal one host of the TCP23, while the normal TCP source port is not possible for Port 23.

---There is a situation that can be used, such as Syslog sent, because the audit needs to audit the real address, rather than NAT address, you can configure static Pat to achieve the source address does not translate (the general host Syslog source port can be specified, Linux defaults to UDP514):

Object Network Inside_net_syslog
Subnet 100.1.1.0 255.255.255.0
Object Network Inside_net_syslog_nonat
Subnet 100.1.1.0 255.255.255.0
Object Network Inside_net_syslog_nonat
Nat (Inside,outside) static Inside_net_syslog service UDP syslog

In this way, when the designated inside Area 100.1.1.0/24 Network segment host sends the Sylog UDP source port to the outside area's syslog server, it can realize the IP address itself (equal to not turn).