https://community.cisco.com/t5/network-security/static-nat-question-public-to-inside-asa-9-1x/m-p/2597189#M202568 <P>Thanks Kirsten. I was actually trying to get the ip exclusively for the server and finally was able to get it working. &nbsp;I had your config in place at one point, but apparently didn't have something else configured at the time correctly. &nbsp;At any rate, it is working. Thank you for replying.</P> Thu, 11 Dec 2014 18:17:15 GMT raun.williams 2014-12-11T18:17:15Z https://community.cisco.com/t5/network-security/static-nat-question-public-to-inside-asa-9-1x/m-p/2597187#M202566 <P>Hi All.. I'm having &nbsp;hard time wrapping my head around the post 8.2 nat statements, please help.</P><P>&nbsp;</P><P>I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses&nbsp;(this is a video streaming relay server). &nbsp;It also need to be able to push the stream to a specific IP address as well. &nbsp;I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:</P><P>&nbsp;</P><P>Remote Public IP's: 77.88.99.11</P><P>Local Public IP: 12.12.12.1</P><P>Ports required:</P><P>object-group service srvgp-stream-remote<BR />&nbsp;service-object tcp destination eq www<BR />&nbsp;service-object tcp destination eq https<BR />&nbsp;service-object tcp destionation eq 8088<BR />&nbsp;service-object tcp destination eq 1935<BR />&nbsp;service-object udp destination range 6970 9999<BR />&nbsp;service-object udp destination range 30000 65000<BR />&nbsp;service-object udp destination eq 554</P><P>&nbsp;</P><P>I can get this to work:</P><P>object network server-external-ip<BR />&nbsp;host 12.12.12.1<BR />!<BR />object network webserver<BR />&nbsp;host 192.168.1.100<BR />&nbsp;nat (dmz,outside) static server-external-ip service tcp 8088 8088</P><P>access-list acl-outside extended permit tcp host 77.88.99.11&nbsp;object AngelEye eq 8088</P><P>But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax. &nbsp;Additionally, would this &nbsp;provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?</P><P>Any help is greatly appreciated.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:11:17 GMT https://community.cisco.com/t5/network-security/static-nat-question-public-to-inside-asa-9-1x/m-p/2597187#M202566 raun.williams 2019-03-12T05:11:17Z https://community.cisco.com/t5/network-security/static-nat-question-public-to-inside-asa-9-1x/m-p/2597188#M202567 <P>With that many ports, you should use the public IP exclusively for the Webserver:</P> <PRE style="font-size: 14px;"> object network webserver host 192.168.1.100 nat (dmz,outside) static server-external-ip</PRE> <P>If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:</P> <PRE> nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote</PRE> <P>&nbsp;</P> Fri, 05 Dec 2014 07:32:56 GMT https://community.cisco.com/t5/network-security/static-nat-question-public-to-inside-asa-9-1x/m-p/2597188#M202567 Karsten Iwen 2014-12-05T07:32:56Z https://community.cisco.com/t5/network-security/static-nat-question-public-to-inside-asa-9-1x/m-p/2597189#M202568 <P>Thanks Kirsten. I was actually trying to get the ip exclusively for the server and finally was able to get it working. &nbsp;I had your config in place at one point, but apparently didn't have something else configured at the time correctly. &nbsp;At any rate, it is working. Thank you for replying.</P> Thu, 11 Dec 2014 18:17:15 GMT https://community.cisco.com/t5/network-security/static-nat-question-public-to-inside-asa-9-1x/m-p/2597189#M202568 raun.williams 2014-12-11T18:17:15Z