Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
20
Replies

ASA 5510 IOS: 9.0.3: Createing a group object and PAT range

Go to solution
CSCO10812764
Level 1
Level 1

‎06-03-2014 11:35 AM - edited ‎03-11-2019 09:16 PM

 

Hi  I need to add multiple entries of the following on a 5510 running asa903-k8.bin and ASDM-716.bin file.:

object network Mitel5000-01
 host 10.2.254.111
object network Mitel5000-02
 host 10.2.254.111
object network Mitel5000-03
 host 10.2.254.111
object network Mitel5000-04
 host 10.2.254.111
object network Mitel5000-05
 host 10.2.254.111

 

 nat (Inside,Outside) static interface service udp 6031 6031
object network Mitel5000-01
 nat (Inside,Outside) static interface service udp 6032 6032
object network Mitel5000-02
 nat (Inside,Outside) static interface service udp 6033 6033
object network Mitel5000-03
 nat (Inside,Outside) static interface service udp 6034 6034
object network Mitel5000-04
 nat (Inside,Outside) static interface service udp 6035 6035
object network Mitel5000-05
 nat (Inside,Outside) static interface service udp 6036 6036
object network Mitel5000-06
 nat (Inside,Outside) static interface service udp 6037 6037

access-list inbound extended permit udp any4 object Mitel5000 eq 5004
access-list inbound extended permit udp any4 object Mitel5000 eq 5005
access-list inbound extended permit udp any4 object Mitel5000 eq 5006
access-list inbound extended permit udp any4 object Mitel5000 eq 5007
access-list inbound extended permit udp any4 object Mitel5000 eq 50098

 

Is there a way were I could just put a range in for all three of the configs? I am completely new and would love some help.

 

Thanks.

Labels:
0 Helpful
20 Replies 20

Go to solution
Marius Gunnerud
VIP
VIP
In response to CSCO10812764

‎06-06-2014 04:06 AM

What do I need to put to get the range of ports?

I am not 100% sure I understand what you mean by range of ports. But, if I understand correctly, you could create a service object that defines the range of ports and then call that object group in the NAT statement...for example

object service PORT-RANGE
  service tcp destination range 1024 4000

object network Mitel5000-HOST
  host 10.2.254.111

nat (Inside,Outside) source static Mitel5000-HOST interface service PORT-RANGE PORT-RANGE

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
CSCO10812764
Level 1
Level 1
In response to Marius Gunnerud

‎06-06-2014 04:19 AM

Hello again...Many thanks, I think I have done the above. This is my final config, can I ask you to please cast a eye on it and see it all looks good? Many Thanks for your help today.

enable password XXXX
password XXXX
User Enable password XXXX

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
object network Mitel5000-HOST
  host 10.2.254.111

int e0/0                           
nameif Outside
security-level 0                     
ip address X.X.X.53 255.255.255.240
no shutdown                             
description WAN Interface               
exit

int e0/1                           
nameif Inside
security-level 100                      
ip address 10.2.254.9 255.255.255.0
no shutdown                        
description LAN Interface          
exit                               

int e0/2                           
nameif VoIP-Link
security-level 100                      
ip address 10.2.111.1 255.255.255.0
no shutdown                       
description VOIP Interface          
exit

int e0/3                                                    
no shutdown                             
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 5
http server enable
http 10.2.254.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 Management

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

object network ECHS-XCH
 host 10.2.254.12
object network ECHS-XCH
 nat (Inside,Outside) static interface service tcp https https

object network ECHS-XCH-01
 host 10.2.254.12
object network ECHS-XCH-01
 nat (Inside,Outside) static interface service tcp www www

object network ECHS-PDC
 host 10.2.254.11
object network ECHS-PDC
 nat (Inside,Outside) static interface service tcp pptp pptp

object network Mitel5000-HOST
 host 10.2.254.111
 
object network obj_any
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

access-list inbound extended permit udp any4 object Mitel5000-HOST range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000-HOST range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp
access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object service Mitel-Ports1
  service udp destination range 5004 5007
object service Mitel-Ports2
  service udp destination range 6004 6261
object service Mitel-Ports3
  service udp destination range 6604 7039
object service Mitel-Ports4
  service udp destination range 50098 50508
object service Mitel-Ports5
  service udp destination range 6800 6801
object service Mitel-Ports6
  service udp destination range 3998 3999

nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports6 Mitel-Ports6

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name X-X-X
crypto key generate rsa

You have been amazing with you support. Many thanks.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to CSCO10812764

‎06-06-2014 04:28 AM

Yes, this looks good. but a couple thoughts.

I see an ACL that is not in use...do you need this there?

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

You are allowing telnet connections, which isn't a secure protocol, if you don't need to use this I suggest removing it.

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
CSCO10812764
Level 1
Level 1
In response to Marius Gunnerud

‎06-06-2014 04:40 AM

Hi

What do these commands...

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

actually mean?

I want to  go and test my config in live situ. Last time I did this the phone went down...truly existed to see how it all goes today.

Many many thanks

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to CSCO10812764

‎06-06-2014 04:47 AM

basically if you applied that ACL to the Inside interface you would only be permiting gre and PPTP traffic, all other traffic will be dropped that is generated from the Inside network and entering the ASA. 

Unless you have a requirement to  deny the Inside users access to certain servers, PCs, etc., then I would leave the configuration as is.  your current configuration will allow all traffic from a higher security level to an equal or lower security.  So your inside users will not be restricted as things stand now.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
CSCO10812764
Level 1
Level 1
In response to Marius Gunnerud

‎06-17-2014 03:40 PM

MariusGunnerud - Many thanks to you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card