cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5762
Views
10
Helpful
5
Replies

ASA 8.4 forwarding port range

stevenmorgan
Level 1
Level 1

Greetings,

I need to open port range 554 - 558 to a DVR on the internal network. Also, I need to NAT one of my public IP's to the DVR. How is this accomplished in 8.4? I was able to do it in an older version ASA software.

Thanks,

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Steven,

Since 8.3 nat is based on objects, so let's start by creating them:

object network Inside_DVR

host 192.168.12.2

object network Outside_Ip_DVR

host 4.2.2.2

object-group service DVR_services

service tcp source eq 554

service tcp source eq 555

service tcp source eq 556

service tcp source eq 557

service tcp source eq 558

nat (inside,outside) source static Inside_DVR Outside_Ip_DVR service   DVR_services  DVR_services

access-list outside_in permit tcp any host  192.168.12.2 eq 554

access-list outside_in permit tcp any host  192.168.12.2 eq 555

access-list outside_in permit tcp any host  192.168.12.2 eq 556

access-list outside_in permit tcp any host  192.168.12.2 eq 557

access-list outside_in permit tcp any host  192.168.12.2 eq 558

access-group outside_in in interface outside

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Steven,

Since 8.3 nat is based on objects, so let's start by creating them:

object network Inside_DVR

host 192.168.12.2

object network Outside_Ip_DVR

host 4.2.2.2

object-group service DVR_services

service tcp source eq 554

service tcp source eq 555

service tcp source eq 556

service tcp source eq 557

service tcp source eq 558

nat (inside,outside) source static Inside_DVR Outside_Ip_DVR service   DVR_services  DVR_services

access-list outside_in permit tcp any host  192.168.12.2 eq 554

access-list outside_in permit tcp any host  192.168.12.2 eq 555

access-list outside_in permit tcp any host  192.168.12.2 eq 556

access-list outside_in permit tcp any host  192.168.12.2 eq 557

access-list outside_in permit tcp any host  192.168.12.2 eq 558

access-group outside_in in interface outside

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the post. Your suggestion worked. I was mainly getting stumped with the NAT statement. One thing I did differently is use the "range" command in both the object service and access list to define the ports. This was so I didn't need to define each port separately. Here is how I did it,

object network DVR_Inside

     host x.x.x.x

object network DVR_Outside

     host x.x.x.x

object service DVR_Ports

     service tcp source range 554 558

nat (inside,outside) source static DVR_Inside DVR_Outside service DVR_Ports DVR_Ports

access-list Inbound permit tcp any object DVR_Inside range 554 558

Hello Steven,

Exactlly it can be don on the ACL as well

Regards,

PD: Kudos for you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi There,

I am still a newbie when it comes to firewall. I apologize if I may/might posted this in a wrong thread. I just would like to know if it's possible to open a port range ex. 5000-5500 UDP going in to the local network with only 1 public IP address. I don't really know how to configure NAT through or if the NAT will automatically take care of it. Any suggestion will be greatly appreciated.

Hi,

I am trying to configure UDP port range forwarding in ASA 8.4(3) but following command are not successful.

object service udp-port
service udp source range 36000 59999 
object network expresswayLAN
host 192.168.1.207

access-list outside_in extended permit udp any host 192.168.1.207 range 36000 59999 

nat (inside,outside) source static expresswayLAN interface service udp-port udp-port

access-group outside_in in interface outside

ASA# show nat 
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static expresswayLAN interface service udp-port udp-port
translate_hits = 0, untranslate_hits = 61

Please help where i am missing to translate these ports?

thank you so much

Review Cisco Networking for a $25 gift card