https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515419#M1085628 <P>You need NAT and ACL to work.</P> <P>&nbsp;</P> Wed, 08 Dec 2021 18:18:56 GMT balaji.bandi 2021-12-08T18:18:56Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515348#M1085609 <P>Hey all,&nbsp;</P><P>&nbsp;</P><P>i have a customer (small business) without a static external IP adress. They use a VoIP solution with an internal appliance and i have to forward some ports and a port range to the VoIP device.&nbsp;</P><P>&nbsp;</P><P>Using a public server did not work as it needs a static external ip and im pretty lost configuring this via CLI. From what i found out i need to define the object service, the access-list and the nat rule but i find it very confusing if the nat rule is outside, inside or the opposite and if the obejct service needs to be the source or destination.&nbsp;</P><P>&nbsp;</P><P>object service RTP-Daten<BR />service udp <FONT color="#FF0000">destination&gt;</FONT> range 10000 20000<BR />object service Autoprov<BR />service tcp <FONT color="#FF0000">source</FONT>&nbsp;eq 50080</P><P>&nbsp;</P><P>access-list inbound extended permit tcp any host 192.168.100.10 range 10000 20000<BR />access-list inbound extended permit tcp any host 192.168.100.10 eq 50080</P><P>&nbsp;</P><P>nat (<FONT color="#FF0000">outside,inside</FONT>) source static any any destination static interface Starface service RTP-Daten RTP-Daten<BR />nat (<FONT color="#FF0000">outside,inside</FONT>) source static any any destination static interface Starface service Autoprov Autoprov</P><P>&nbsp;</P><P>Would this be correct? And is it source or destination and&nbsp;outside, inside or the opposite?</P><P>&nbsp;</P><P>Thanks in advance</P><P>&nbsp;</P><P>Tobias</P> Wed, 08 Dec 2021 16:34:08 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515348#M1085609 Tobi 2021-12-08T16:34:08Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515371#M1085617 <P>what device is this&nbsp; ? and what IOS running ?</P> <P>&nbsp;</P> <P>high level below should work :</P> <P>&nbsp;</P> <P>object service RTP-Daten<BR />service udp source&nbsp; range 10000 20000<BR />object service Autoprov<BR />service tcp source eq 50080</P> <P>object network VOIP_SERVER<BR />host 192.168.100.10<BR />nat (inside,outside) static interface service RTP-Daten RTP-Daten<BR />nat (inside,outside) static interface service Autoprov Autoprov</P> Wed, 08 Dec 2021 17:01:27 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515371#M1085617 balaji.bandi 2021-12-08T17:01:27Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515383#M1085625 <P>Its a Firepower 1010 with&nbsp;ASA Version 9.14(1)&nbsp;</P><P>&nbsp;</P><P>Is there no need to open the firewall?</P><P>&nbsp;</P><P><SPAN>access-list inbound extended permit tcp any host 192.168.100.10 range 10000 20000</SPAN><BR /><SPAN>access-list inbound extended permit tcp any host 192.168.100.10 eq 50080</SPAN></P> Wed, 08 Dec 2021 17:17:55 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515383#M1085625 Tobi 2021-12-08T17:17:55Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515419#M1085628 <P>You need NAT and ACL to work.</P> <P>&nbsp;</P> Wed, 08 Dec 2021 18:18:56 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515419#M1085628 balaji.bandi 2021-12-08T18:18:56Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515820#M1085642 <P>OK so this below should do the trick? From what i saw online the VOIP_SERVER should be in the NAT Rule like i marked in red below?</P><P>&nbsp;</P><P>object network VOIP_SERVER<BR />host 192.168.100.10</P><P>&nbsp;</P><P>object service RTP-Daten<BR />service udp source range 10000 20000<BR />object service Autoprov<BR />service tcp source eq 50080<BR />object service AutoprovS<BR />service tcp source eq 50081</P><P><BR />access-list inbound extended permit tcp any host 192.168.100.10 range 10000 20000<BR />access-list inbound extended permit tcp any host 192.168.100.10 eq 50080<BR />access-list inbound extended permit tcp any host 192.168.100.10 eq 50081</P><P>&nbsp;</P><P>access-group inbound in interface outside</P><P>&nbsp;</P><P>nat (inside, outside) static interface <FONT color="#FF0000">VOIP_SERVER</FONT> service RTP-Daten RTP-Daten<BR />nat (inside, outside) static interface <FONT color="#FF0000">VOIP_SERVER</FONT> service Autoprov Autoprov<BR />nat (inside, outside) static interface <FONT color="#FF0000">VOIP_SERVER</FONT> service AutoprovS AutoprovS</P><P>&nbsp;</P> Thu, 09 Dec 2021 07:58:39 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4515820#M1085642 Tobi 2021-12-09T07:58:39Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4516103#M1085666 <P>Since i am out of office until monday: Would this be the correct solution? And with or without the VOIP_Server given in the nat rule? Thanks in advance!</P> Thu, 09 Dec 2021 16:14:12 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4516103#M1085666 Tobi 2021-12-09T16:14:12Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4517815#M1085741 <P>Can anyone confirm this?</P> Mon, 13 Dec 2021 10:56:52 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4517815#M1085741 Tobi 2021-12-13T10:56:52Z https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4517974#M1085757 <P>Hi,</P><P>&nbsp;</P><P>this does not work</P><P>&nbsp;</P><P><SPAN>object network VOIP_SERVER</SPAN><BR /><SPAN>host 192.168.100.10</SPAN><BR /><SPAN>nat (inside,outside) static interface service RTP-Daten RTP-Daten</SPAN><BR /><SPAN>nat (inside,outside) static interface service Autoprov Autoprov</SPAN></P><P>&nbsp;</P><P><SPAN>Leads to the config only having the last service present and it only works with single ports.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>nat (inside,outside) static interface service 54321 54321<BR />nat (inside,outside) static interface service 12345 12345</SPAN></P><P>&nbsp;</P><P><SPAN>Leads to a config where only</SPAN></P><P>&nbsp;</P><P><SPAN>nat (inside,outside) static interface service 12345 12345</SPAN></P><P>&nbsp;</P><P><SPAN>is present. And it does not work for port ranges. Any ideas?</SPAN></P> Mon, 13 Dec 2021 15:28:47 GMT https://community.cisco.com/t5/network-security/forward-multiple-ports-and-a-port-range-to-an-internal-host/m-p/4517974#M1085757 Tobi 2021-12-13T15:28:47Z