Can you port forward a port range on asa5505 version 8.3

carl_townshend · ‎09-29-2013

Hi all

Is it possible to port forward a range of ports on the asa, I can't do it via the GUI, is it possible via the cli ?

Cheers

Carl

Jouni Forss · ‎09-29-2013

Hi,

If you want to forward a range of ports to a host without changing the actual port you should be able to do it the following way

object network PORT-RANGE

service tcp source range 1000 2000

object network HOST

host 10.10.10.10

nat (inside,outside) source static HOST interface service PORT-RANGE PORT-RANGE

The above should map the internal host 10.10.10.10 to the interface IP address of "outside" for ports 1000-2000.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

carl_townshend · ‎09-29-2013

I tried that and it didn't like the nat command, it would only allow me to do, static (inside,outside)

When I tried the nat command it didn't seem to work, are you sure about this?

Jouni Forss · ‎09-29-2013

Ah,

I had a typo in the above configuration

The "object" is of wrong type. In the above its "network" even though it should be "service" to be able to hold the protocol/port. If the "object network PORT-RANGE" is still configured on the ASA, it will have to be removed if you want to create an "object service PORT-RANGE" on the ASA.

no object network PORT-RANGE

object service PORT-RANGE

service tcp source range 1000 2000

object network HOST

host 10.10.10.10

nat (inside,outside) source static HOST interface service PORT-RANGE PORT-RANGE

With the above it should accept the "nat" command

- Jouni

Jouni Forss · ‎09-29-2013

Hi,

Were you able to test this with the above mention correct configuration? I had mistakenly put "object network" in the original reply instead of "object service"

- Jouni

carl_townshend · ‎09-30-2013

Hi

I have tried this, its doesnt work, when I do >nat (inside,outside) it comes up with an error, it lets me do nat (inside) then expects a number,

I believe the way to do this is static (inside,outside) tcp etc etc

see below

EURUS-MOS-FW1(config)# nat (inside,outside) ?

ERROR: % Unrecognized command

EURUS-MOS-FW1(config)# nat (inside,outside)

EURUS-MOS-FW1(config)# static (inside,outside) ?

configure mode commands/options:
Hostname or A.B.C.D Global or mapped address
interface            Global address overload from interface
tcp                  TCP to be used as transport protocol
udp                  UDP to be used as transport protocol
EURUS-MOS-FW1(config)# static (inside,outside) tcp ?

Jouni Forss · ‎09-30-2013

Hi,

It would seem to me that your original post asked for a Static PAT for a range of ports for ASA software level 8.3.

Your above output would indicate that your firewall is NOT running 8.3 or above software therefore my suggested NAT configuration format is not supported on your ASA.

In software levels 8.2 and below there is no way to forward a range of ports with few commands. You will need a "static" command for each port which depending on the amount of ports needed might generate quite a bit of configurations.

Example is

static (inside,outside) tcp interface 1000 1000 netmask 255.255.255.255

static (inside,outside) udp interface 1000 1000 netmask 255.255.255.255

You can check your software level with command "show version"

- Jouni