cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2227
Views
0
Helpful
2
Replies

ASA 5505 PAT and Port Ranges

martens72
Level 1
Level 1

Hello,

We recently replaced a Netgear VPN router with an ASA 5505. This setup involved only one external IP, so PAT is used. There is also a VOIP server behind the PAT, wich required some UDP port ranges to be opened to it. In the Netgear (and even in my $50 home broadband router), it is easy enough to forward an entire range, of say 1500 ports to a specific internal server. That was the setup on this Netgear we replaced.

What I am finding out, is that I cannot add static PAT with port ranges. I have referenced a number of sites, mainly Cisco; and found that others have posted this issue here in the forums. Unforturnaley, the only answers I have seen posted, were to use ASA 8.3 OS, in which I can use an object-group assignment; or use a second IP with static NAT to the internal host (which is not a solution here). Am I right in seeing that for all software versions prior to 8.3, PAT and port ranges were not supported?

I have also seen some references to Policy NAT using port ranges; however the ASA erred out, indicating the ACL references port ranges.

Below is the relevant information. Again, I am looking for a way to PAT the UDP port ranges without needing to create 1000+ Static PAT entries.

Any help would be greatly appreciated.

The necessary ACL entries on outside interface:

#########################################

access-list outside_acl line 6 extended permit tcp any host <PAT IP> range 5565 5566 (hitcnt=2) 0x6b2667d0

access-list outside_acl line 7 extended permit udp any host<PAT IP> range 5004 5069 (hitcnt=0) 0xd8c28d05

access-list outside_acl line 8 extended permit udp any host <PAT IP> range 6000 6999 (hitcnt=0) 0xf8843b34

access-list outside_acl line 9 extended permit udp any host <PAT IP> eq 5567 (hitcnt=2) 0x96d8d014

The Static PAT rules for individual ports (no ranges):

###########################################

static (inside,outside) tcp interface 5565<internal host> 5565 netmask 255.255.255.255

static (inside,outside) tcp interface 5566 <internal host> 5566 netmask 255.255.255.255

static (inside,outside) udp interface 5567 <internal host> 5567 netmask 255.255.255.255

1 Accepted Solution

Accepted Solutions

varrao
Level 10
Level 10

Hi Michael,

Well if you are using pre 8.3 software then this might not be possible, you can only do one to one port forwarding on it, there is no range of ports option in it. If you just have one public ip for all the internal servers, then this might be difficult on the ASA, you would need to either upgrade the firewall to 8.3 or later or else use multiple public ip's.

Here are the realease notes for 8.3:

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665

Hope this helps you,

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

2 Replies 2

varrao
Level 10
Level 10

Hi Michael,

Well if you are using pre 8.3 software then this might not be possible, you can only do one to one port forwarding on it, there is no range of ports option in it. If you just have one public ip for all the internal servers, then this might be difficult on the ASA, you would need to either upgrade the firewall to 8.3 or later or else use multiple public ip's.

Here are the realease notes for 8.3:

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665

Hope this helps you,

Thanks,

Varun

Thanks,
Varun Rao

Thanks Varun,

I broke down and added the 1000+ statements - I can't take the idea of not allowing these ports through while we ponder an 8.3 upgrade.

Thanks for the response. I still am in shock this is a limitation on the ASA, when a cheap 50 dollar home broadband device seems to handle it without issue.

Review Cisco Networking for a $25 gift card