https://community.cisco.com/t5/network-security/ios-fw-inbound-static-pat-range-possible/m-p/3734561#M1049661 <P>Hi</P> <P>&nbsp;</P> <P>Yes on asa this is possible.</P> <P>Let's assume your outside name is outside and acl attached to it called outside_access_in</P> <P>&nbsp;</P> <P>Here a config sample (sorry if there are some typos, I'm writing this down from my smartphone):</P> <P>&nbsp;</P> <P><SPAN>object service PABX-UDP</SPAN></P> <P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>service udp destination range 50000&nbsp;51000</SPAN></P> <P><SPAN><SPAN class="Apple-converted-space">!</SPAN></SPAN></P> <P><SPAN>object network PABX</SPAN></P> <P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>host 192.168.0.10</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>access-list outside_access_in extended permit object PABX-UDP any object-group PABX</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>nat (inside,outside) source static PABX 1.1.1.1 service PABX-UDP PABX-UDP</SPAN></P> <P><SPAN>==&gt; Replace 1.1.1.1 by your public ip or your object containing the public ip.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Afterwards, everything should work. Be sure to put the nat at the right place to not have something overlapping.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Do a test and let me know.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;[EDIT]</P> <P>I saw in the title you were talking about udp range on ios.</P> <P>You can use route-map or an easier one like below:</P> <P>&nbsp;</P> <P><SPAN>ip nat pool PABX-UDP&nbsp;192.168.0.50 192.168.0.10 netmask 255.255.255.0 type rotary</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>access-list 111 permit udp any any range 50000 51000</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>ip nat inside destination list 111 pool&nbsp;PABX-UDP</SPAN></P> <P>&nbsp;</P> <P><SPAN>You need to adapt with your actual config of any other Nat exists.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Here an example with route-map:</SPAN></P> <P><SPAN><A href="https://community.cisco.com/t5/routing/forward-range-ports-for-few-hosts-in-isr4331/td-p/3316899" target="_blank">https://community.cisco.com/t5/routing/forward-range-ports-for-few-hosts-in-isr4331/td-p/3316899</A></SPAN></P> Mon, 29 Oct 2018 02:23:59 GMT Francesco Molino 2018-10-29T02:23:59Z https://community.cisco.com/t5/network-security/ios-fw-inbound-static-pat-range-possible/m-p/3734535#M1049642 <P>Hi I have to create connectivity for an external phone system say port 50000-51000 UDP from outside to a single host inside.</P> <P>&nbsp;</P> <P>I would like to map the whole UDP port range&nbsp; range from outside (hitting the external interface) to inside (pabx host 192.168.10.10) keeping udp dest ports consistent eg dest port 50000&nbsp; coming in to external ios fw interface&nbsp; to PAT to 192.168.10.10 dest port udp 50000</P> <P>&nbsp;</P> <P>Without having to do each individual PAT statement or get a separate public IP address, is this possible?</P> Fri, 21 Feb 2020 16:24:22 GMT https://community.cisco.com/t5/network-security/ios-fw-inbound-static-pat-range-possible/m-p/3734535#M1049642 dino55088 2020-02-21T16:24:22Z https://community.cisco.com/t5/network-security/ios-fw-inbound-static-pat-range-possible/m-p/3734561#M1049661 <P>Hi</P> <P>&nbsp;</P> <P>Yes on asa this is possible.</P> <P>Let's assume your outside name is outside and acl attached to it called outside_access_in</P> <P>&nbsp;</P> <P>Here a config sample (sorry if there are some typos, I'm writing this down from my smartphone):</P> <P>&nbsp;</P> <P><SPAN>object service PABX-UDP</SPAN></P> <P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>service udp destination range 50000&nbsp;51000</SPAN></P> <P><SPAN><SPAN class="Apple-converted-space">!</SPAN></SPAN></P> <P><SPAN>object network PABX</SPAN></P> <P><SPAN><SPAN class="Apple-converted-space">&nbsp;</SPAN>host 192.168.0.10</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>access-list outside_access_in extended permit object PABX-UDP any object-group PABX</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>nat (inside,outside) source static PABX 1.1.1.1 service PABX-UDP PABX-UDP</SPAN></P> <P><SPAN>==&gt; Replace 1.1.1.1 by your public ip or your object containing the public ip.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Afterwards, everything should work. Be sure to put the nat at the right place to not have something overlapping.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Do a test and let me know.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;[EDIT]</P> <P>I saw in the title you were talking about udp range on ios.</P> <P>You can use route-map or an easier one like below:</P> <P>&nbsp;</P> <P><SPAN>ip nat pool PABX-UDP&nbsp;192.168.0.50 192.168.0.10 netmask 255.255.255.0 type rotary</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>access-list 111 permit udp any any range 50000 51000</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>ip nat inside destination list 111 pool&nbsp;PABX-UDP</SPAN></P> <P>&nbsp;</P> <P><SPAN>You need to adapt with your actual config of any other Nat exists.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Here an example with route-map:</SPAN></P> <P><SPAN><A href="https://community.cisco.com/t5/routing/forward-range-ports-for-few-hosts-in-isr4331/td-p/3316899" target="_blank">https://community.cisco.com/t5/routing/forward-range-ports-for-few-hosts-in-isr4331/td-p/3316899</A></SPAN></P> Mon, 29 Oct 2018 02:23:59 GMT https://community.cisco.com/t5/network-security/ios-fw-inbound-static-pat-range-possible/m-p/3734561#M1049661 Francesco Molino 2018-10-29T02:23:59Z