https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964782#M155824 <P>Hi</P> <P></P> <P>The NAT on router isn't working the same way as ASA.</P> <P>On your design, you need to do port forwarding on UDP range ports. You don't have a lot of solutions. There is only 1 I know, it's using ACL and route-map like:</P> <BLOCKQUOTE> <P>access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531</P> <P>!</P> <P>route-map FORWARD-2 permit 10<BR />&nbsp;match ip address 101<BR />!</P> <P>ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2</P> </BLOCKQUOTE> <P>The issue is that you need also to forward other ports with same public address but different private address. At this point, the router won't allow you to do the configuration.</P> <P></P> <P>To accomplish what you're trying to do with IOS, you have 2 solutions:</P> <P>- do NAT port per port (even for range). It will take too long as you have a lot of ports</P> <P>- Use 2 public IP: 1 for 1.1.1.235 and 1 for 1.1.1.236</P> <P></P> <P>Just in case you will use 2 public IP address, the config would look like: (Control it before pasting on your environment, I've done it quickly through my iPhone):</P> <BLOCKQUOTE> <P><BR />object-group SITENAMEPBX1SIPUDP<BR />&nbsp;host 1.1.1.235<BR />!<BR />object-group SITENAMEPBX1SIPTCP<BR />&nbsp;host 1.1.1.235<BR />!<BR />object-group SITENAMEPBX1RTP<BR />&nbsp;host 1.1.1.236<BR />!<BR />object-group SITENAMEPBXMask1<BR />&nbsp;host 1.1.1.235<BR />!<BR />object-group SITENAMEPBXMask2<BR />&nbsp;host 1.1.1.236<BR />!<BR />object-group SITENAMEPBXMasking<BR />&nbsp;group-object SITENAMEPBXMask1<BR />&nbsp;group-object SITENAMEPBXMask2<BR />!<BR />ip access-list extended NAT<BR />&nbsp;permit ip object-group SITENAMEPBXMask1 any<BR />!<BR />ip access-list extended NAT2<BR />&nbsp;permit ip object-group SITENAMEPBXMask2 any<BR />!<BR />access-list 100 permit udp object-group SITENAMEPBX1SIPUDP eq 5090 any eq 5090<BR />access-list 100 permit tcp object-group SITENAMEPBX1SIPTCP eq 5090 any eq 5090<BR />access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531<BR />!<BR />route-map FORWARD-1 permit 10<BR />&nbsp;match ip address 100<BR />!<BR />route-map FORWARD-2 permit 10<BR />&nbsp;match ip address 101<BR />!<BR />ip nat pool NATPOOL 2.2.2.187 2.2.2.187 netmask 255.255.255.0<BR />ip nat pool NATPOOL2 2.2.2.188 2.2.2.188 netmask 255.255.255.0<BR />ip nat inside source list NAT pool NATPOOL2 overload<BR />ip nat inside source list NAT2 pool NATPOOL overload<BR />ip nat inside source static 1.1.1.235 2.2.2.188 route-map FORWARD-1<BR />ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2</P> </BLOCKQUOTE> <P>Thanks</P> <P></P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> <P></P> <P></P> <P></P> Wed, 10 Aug 2016 15:51:35 GMT Francesco Molino 2016-08-10T15:51:35Z https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964781#M155822 <P>I had to create a rather complex series of NATs on an ASA for a PBX that has 2 IPs (one for RTP and one for Control) but must appear to the ITSP on the internet as one public IP. The client now wants to route some of this traffic via some ISRs where we have ZBF firewalls setup.</P> <P>I have pasted the sections of relevant ASA code (8.3+ NAT version). Will this actually translate to IOS/IOS-XE (have a mix of G2s and 4Ks)? If so how? I've done plenty of 1-1 NATs and some port NAT'ing, but am unsure of the final masking NAT and making it all work together. &nbsp;</P> <P>Thanks in advance for any assistance! The 1.1.1 ips would be internal and the 2.2.2 would be external.</P> <P></P> <P></P> <PRE class="prettyprint">object service SIPRangeUDP<BR /> service udp source range sip 5090 <BR />object service SIPRangeTCP<BR /> service tcp source range sip 5090<BR />object service RTPRange<BR /> service udp source range 10020 10531</PRE> <PRE class="prettyprint">object network SITENAMEPBX1SIPUDP<BR /> host 1.1.1.235<BR />object network SITENAMEPBX1SIPUDPOut<BR /> host 2.2.2.187<BR />object network SITENAMEPBX1SIPTCP<BR /> host 1.1.1.235<BR />object network SITENAMEPBX1SIPTCPOut<BR /> host 2.2.2.187<BR />object network SITENAMEPBX1RTP<BR /> host 1.1.1.236<BR />object network SITENAMEPBX1RTPOut<BR /> host 2.2.2.187<BR />object network SITENAMEPBXMask<BR /> host 2.2.2.187<BR />object network SITENAMEPBXMask1<BR /> host 1.1.1.235<BR />object network SITENAMEPBXMask2<BR /> host 1.1.1.236</PRE> <PRE class="prettyprint">object-group network SITENAMEPBXMasking<BR /> network-object object SITENAMEPBXMask1<BR /> network-object object SITENAMEPBXMask2</PRE> <PRE class="prettyprint">nat (inside,outside) source static SITENAMEPBX1SIPUDP SITENAMEPBX1SIPUDPOut service SIPRangeUDP SIPRangeUDP<BR />nat (inside,outside) source static SITENAMEPBX1SIPTCP SITENAMEPBX1SIPTCPOut service SIPRangeTCP SIPRangeTCP<BR />nat (inside,outside) source static SITENAMEPBX1RTP SITENAMEPBX1RTPOut service RTPRange RTPRange<BR />nat (inside,outside) source dynamic SITENAMEPBXMasking SITENAMEPBXMask</PRE> Tue, 12 Mar 2019 08:06:54 GMT https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964781#M155822 mloraditch 2019-03-12T08:06:54Z https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964782#M155824 <P>Hi</P> <P></P> <P>The NAT on router isn't working the same way as ASA.</P> <P>On your design, you need to do port forwarding on UDP range ports. You don't have a lot of solutions. There is only 1 I know, it's using ACL and route-map like:</P> <BLOCKQUOTE> <P>access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531</P> <P>!</P> <P>route-map FORWARD-2 permit 10<BR />&nbsp;match ip address 101<BR />!</P> <P>ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2</P> </BLOCKQUOTE> <P>The issue is that you need also to forward other ports with same public address but different private address. At this point, the router won't allow you to do the configuration.</P> <P></P> <P>To accomplish what you're trying to do with IOS, you have 2 solutions:</P> <P>- do NAT port per port (even for range). It will take too long as you have a lot of ports</P> <P>- Use 2 public IP: 1 for 1.1.1.235 and 1 for 1.1.1.236</P> <P></P> <P>Just in case you will use 2 public IP address, the config would look like: (Control it before pasting on your environment, I've done it quickly through my iPhone):</P> <BLOCKQUOTE> <P><BR />object-group SITENAMEPBX1SIPUDP<BR />&nbsp;host 1.1.1.235<BR />!<BR />object-group SITENAMEPBX1SIPTCP<BR />&nbsp;host 1.1.1.235<BR />!<BR />object-group SITENAMEPBX1RTP<BR />&nbsp;host 1.1.1.236<BR />!<BR />object-group SITENAMEPBXMask1<BR />&nbsp;host 1.1.1.235<BR />!<BR />object-group SITENAMEPBXMask2<BR />&nbsp;host 1.1.1.236<BR />!<BR />object-group SITENAMEPBXMasking<BR />&nbsp;group-object SITENAMEPBXMask1<BR />&nbsp;group-object SITENAMEPBXMask2<BR />!<BR />ip access-list extended NAT<BR />&nbsp;permit ip object-group SITENAMEPBXMask1 any<BR />!<BR />ip access-list extended NAT2<BR />&nbsp;permit ip object-group SITENAMEPBXMask2 any<BR />!<BR />access-list 100 permit udp object-group SITENAMEPBX1SIPUDP eq 5090 any eq 5090<BR />access-list 100 permit tcp object-group SITENAMEPBX1SIPTCP eq 5090 any eq 5090<BR />access-list 101 permit udp object-group SITENAMEPBX1RTP range 10020 10531 any range 10020 10531<BR />!<BR />route-map FORWARD-1 permit 10<BR />&nbsp;match ip address 100<BR />!<BR />route-map FORWARD-2 permit 10<BR />&nbsp;match ip address 101<BR />!<BR />ip nat pool NATPOOL 2.2.2.187 2.2.2.187 netmask 255.255.255.0<BR />ip nat pool NATPOOL2 2.2.2.188 2.2.2.188 netmask 255.255.255.0<BR />ip nat inside source list NAT pool NATPOOL2 overload<BR />ip nat inside source list NAT2 pool NATPOOL overload<BR />ip nat inside source static 1.1.1.235 2.2.2.188 route-map FORWARD-1<BR />ip nat inside source static 1.1.1.236 2.2.2.187 route-map FORWARD-2</P> </BLOCKQUOTE> <P>Thanks</P> <P></P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> <P></P> <P></P> <P></P> Wed, 10 Aug 2016 15:51:35 GMT https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964782#M155824 Francesco Molino 2016-08-10T15:51:35Z https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964783#M155825 <P>I was afraid of what you are saying. We are not port by port natting, 500+ lines of NAT would be impossible to manage.</P> <P>Well, we recommended against the PBX design they have, now I have even more justification for that.</P> Wed, 10 Aug 2016 20:25:58 GMT https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964783#M155825 mloraditch 2016-08-10T20:25:58Z https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964784#M155826 <P>Yes you're right. As I said manual port by port will be a nightmare. The solution with router would be 2 public address.&nbsp;</P> <P></P> <P>Thanks</P> Wed, 10 Aug 2016 20:33:44 GMT https://community.cisco.com/t5/network-security/convert-asa-nat-to-ios-ios-xe-nat-config/m-p/2964784#M155826 Francesco Molino 2016-08-10T20:33:44Z