https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196323#M356859 <P>Hi,</P><P></P><P>I'm looking for a way to avoid doing 999 individual port address translations for ports in a range 1-999 for the same protocol. </P><P></P><P>I'm not finding anything that asa code v9.11 will allow. </P><P></P><P>I have the service objects defined but cannot find a way to get the nat statement to allow the service object.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>object network foobar</P><P>host 192.168.100.22</P><P>nat (inside,outside) static interface service fooservice fooservice</P></PRE><P></P><P>Hope I'm missing something here. Any help appreciated.</P><P></P><P>Thanks.</P> Tue, 12 Mar 2019 00:58:42 GMT lcaruso 2019-03-12T00:58:42Z https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196323#M356859 <P>Hi,</P><P></P><P>I'm looking for a way to avoid doing 999 individual port address translations for ports in a range 1-999 for the same protocol. </P><P></P><P>I'm not finding anything that asa code v9.11 will allow. </P><P></P><P>I have the service objects defined but cannot find a way to get the nat statement to allow the service object.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>object network foobar</P><P>host 192.168.100.22</P><P>nat (inside,outside) static interface service fooservice fooservice</P></PRE><P></P><P>Hope I'm missing something here. Any help appreciated.</P><P></P><P>Thanks.</P> Tue, 12 Mar 2019 00:58:42 GMT https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196323#M356859 lcaruso 2019-03-12T00:58:42Z https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196324#M356860 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Seems there is a bug in the 9.1 ASA software as I tried to configure this first with that software. That gave a wierd result and I checked another post on these forums that related to a similiar problem</P><P></P><P>I then booted my ASA with 8.4(5) software and the NAT is now working normally. So I imagine you will have to wait for a correcting software or move to a older software to get it working in the meanwhile</P><P></P><P>Heres the configuration I did and a "packet-tracer" output to test it</P><P></P><P></P><P><STRONG>NAT CONFIGURATION</STRONG></P><P></P><P>Where</P><UL><LI>SERVICE-LOCAL = The actual port range on the LAN</LI><LI>SERVICE-MAPPED = The corresponding NATed/Mapped port range on the WAN</LI><LI>SERVER-LOCAL = Server IP on the LAN</LI><LI>SERVER-MAPPED = Server IP NATed/Mapped on the WAN</LI><LI>nat = The NAT configuration</LI><LI>Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration</LI><LI>X.X.X.X = My server LAN IP address</LI></UL><P></P><P>object service SERVICE-LOCAL</P><P> service tcp source range 5000 6000</P><P></P><P>object service SERVICE-MAPPED</P><P> service tcp source range 15000 16000</P><P></P><P>object network SERVER-LOCAL</P><P> host X.X.X.X</P><P></P><P>object network SERVER-MAPPED</P><P> host Y.Y.Y.Y</P><P></P><P>nat (LAN,WAN) source static SERVER-LOCAL SERVER-MAPPED service SERVICE-LOCAL SERVICE-MAPPED</P><P></P><P></P><P><STRONG>PACKET-TRACER TEST</STRONG></P><P></P><P>Where</P><UL><LI>WAN = My ASAs "outside" interface</LI><LI>1.2.3.4 = Random address behind the WAN interface</LI><LI>Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration</LI><LI>X.X.X.X = My server LAN IP address</LI></UL><P></P><P>ASA# packet-tracer input WAN tcp 1.2.3.4 20000 Y.Y.Y.Y 15000</P><P></P><P>Phase: 1</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P>Phase: 2</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>nat (LAN,WAN) source static SERVER-LOCAL SERVER-MAPPED service SERVICE-LOCAL SERVICE-MAPPED</P><P>Additional Information:</P><P>NAT divert to egress interface LAN</P><P>Untranslate Y.Y.Y.Y/15000 to X.X.X.X/5000</P><P></P><P></P><P></P><P><STRONG>Link to the dicussion with the NAT problem:</STRONG></P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2196562" rel="nofollow">https://supportforums.cisco.com/thread/2196562?tstart=60</A></P><P></P><P><STRONG>Link to the BugID (<SPAN style="color: #ff0000;">CLICK THE BUG ID AT THE END OF THE LINK</SPAN>)<BR /></STRONG></P><P></P><P><A class="jive-link-external-small" href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=" rel="nofollow">https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=</A><A href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=CSCud64705" rel="nofollow" target="_blank">CSCud64705</A></P><P></P><P></P><P><STRONG>Finally the same NAT configuration as above but while running ASA software 9.1(1)</STRONG></P><P></P><P>Where</P><UL><LI>WAN = My ASAs "outside" interface</LI><LI>1.2.3.4 = Random address behind the WAN interface</LI><LI>Y.Y.Y.Y = One of my public IP addresses assigned to this NAT configuration</LI><LI>X.X.X.X = My ASA WAN interface IP address</LI></UL><P></P><P></P><P>ASA(config)# packet-tracer input WAN tcp 1.2.3.4 20000 Y.Y.Y.Y 15000</P><P></P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; X.X.X.X&nbsp; 255.255.255.248 WAN</P><P></P><P>Result:</P><P>input-interface: WAN</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: WAN</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P><SPAN style="color: #ff0000;"><STRONG>Drop-reason: (no-route) No route to host</STRONG></SPAN></P><P></P><P></P><P></P><P>Hope the above information has been helpfull. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN> If so please rate <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Sun, 10 Feb 2013 23:45:09 GMT https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196324#M356860 Jouni Forss 2013-02-10T23:45:09Z https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196325#M356861 <HTML><HEAD></HEAD><BODY><P>Thanks for your post. TAC agrees about the bug. </P><P></P><P>This is a 5512X so I won't be downleveling to 8.4(5) on this platform.</P><P></P><P>Time to write some generator code in Python. </P></BODY></HTML> Mon, 11 Feb 2013 00:41:36 GMT https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196325#M356861 lcaruso 2013-02-11T00:41:36Z https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196326#M356862 <HTML><HEAD></HEAD><BODY><P>Would 8.6 work for you (In case it doesnt have this bug, I dont know)? Or is there perhaps some new feature in the 9.x you need to keep?</P><P></P><P>I personally dont have any of the new 5500-X models available for testing.</P><P></P><P>Only 5585-X models but those to my understanding dont take the 8.6 software.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 11 Feb 2013 00:50:48 GMT https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196326#M356862 Jouni Forss 2013-02-11T00:50:48Z https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196327#M356863 <HTML><HEAD></HEAD><BODY><P>Probably need to stick with 9.x and also don't know if 8.6 is without that bug. </P><P></P><P>I'm going to find out if all those ports are really needed or if this is just case of not doing one's homework. </P><P></P><P>What app needs 999 (consecutive) ports tcp and udp identically? </P><P></P><P>Oh wait, it's an IBM server. </P></BODY></HTML> Mon, 11 Feb 2013 01:03:47 GMT https://community.cisco.com/t5/network-security/pat-port-range/m-p/2196327#M356863 lcaruso 2013-02-11T01:03:47Z