https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890678#M152776 <P>You need to use a Service object</P> <P>as attached</P> <P>create a service object&nbsp; define ports with " udp/49152-65534"</P> <P></P> Thu, 23 Jun 2016 06:59:16 GMT Richard Bradfield 2016-06-23T06:59:16Z https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890677#M152775 <P>Hello,</P> <P>I managed to configure port redirect for single ports.</P> <P>In order to redirect a single port I did the following (and it works well):</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/networkobject.png" class="migrated-markup-image" /></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/accessrule.png" class="migrated-markup-image" /></P> <P></P> <P>But I now need to redirect a big range for data on a Linux machine:</P> <P><SPAN>49152 to 65534</SPAN></P> <P></P> <P>Which means that if somebody connects to the Public interface of the ASA on port&nbsp;<SPAN>49152 it will redirect to 192.168.1.20:49152.<BR />And the same for the whole range. To do it manually for thousands of ports it has no sense. For sure there is a way to do it automatically on the whole range.</SPAN></P> <P><SPAN>Can anybody explain me how to do it?</SPAN></P> <P><SPAN>Thanks</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>P.s. I am on:</SPAN></P> <P><SPAN>Cisco Adaptive Security Appliance Software Version 9.2(3)4 <BR />Device Manager Version 7.4(1)<BR /></SPAN><SPAN>System image file is "disk0:/asa923-4-k8.bin"</SPAN></P> Tue, 12 Mar 2019 07:56:02 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890677#M152775 sergioloporto 2019-03-12T07:56:02Z https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890678#M152776 <P>You need to use a Service object</P> <P>as attached</P> <P>create a service object&nbsp; define ports with " udp/49152-65534"</P> <P></P> Thu, 23 Jun 2016 06:59:16 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890678#M152776 Richard Bradfield 2016-06-23T06:59:16Z https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890679#M152777 <P>Thanks. And how does the access rule looks like?&nbsp;</P> Thu, 23 Jun 2016 07:03:17 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890679#M152777 sergioloporto 2016-06-23T07:03:17Z https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890680#M152778 <P>something like</P> <P>&nbsp;IP access-list Outside-in extended permit udp&nbsp; any &lt;Linux server real address&gt; object-group udp-range object-group udp-range</P> Thu, 23 Jun 2016 07:36:06 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890680#M152778 Richard Bradfield 2016-06-23T07:36:06Z https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890681#M152779 <P>I added that service group. Then I tried to add this command:</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/range.png" class="migrated-markup-image" /></P> <P>access-list Outside-in extended permit tcp any 192.168.1.25 object-group DATA_Tcp_range_FTP_Raspberry object-group DATA_Tcp_range_FTP_Raspberry</P> <P></P> <P>But I doesn't accept it. The ports I have to redirect are TCP.<BR />What did I do wrong?</P> Thu, 23 Jun 2016 15:04:40 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890681#M152779 sergioloporto 2016-06-23T15:04:40Z https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890682#M152780 <P>I answered above. The current access-lists I have do not start with "ip". For example I have:</P> <P>access-list outside_access_in_1 extended permit tcp any object 443_Raspberry_Pi object-group Port443</P> Thu, 23 Jun 2016 16:08:57 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890682#M152780 sergioloporto 2016-06-23T16:08:57Z https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890683#M152781 <P>Sorry yes just Access-list, routers have IP access-list</P> Thu, 23 Jun 2016 22:49:22 GMT https://community.cisco.com/t5/network-security/how-to-nat-a-port-range-on-asdm-for-asa-5505/m-p/2890683#M152781 Richard Bradfield 2016-06-23T22:49:22Z