06-07-2011 05:47 AM - edited 03-11-2019 01:43 PM
Hi,
I am in the process of replacing all of our checkpoint firewalls with Cisco ASA's. I am curently running into the following problem with configuring static NATs and PATs.
At some of our locations, the external IP's are mapped to internal IP's based on port ranges, and I can't find a way to replicate that on the ASA. Here's an example:
External NAT External Port Internal Host
1.1.1.20 UDP 9000 10.10.10.1
1.1.1.20 UDP 50000-65500 10.10.10.2
1.1.1.20 ANY 10.10.10.3
I could find any way of configuring a static NAT that using the port range (50000-65500), and i'm not about to write 15000 static NAT statements.
Does anyone know how you can use the port range in the static NAT?
Thanks,
Sami
06-07-2011 06:07 AM
Hi Sami,
Unfortunately, you cannot configure a range of ports in Static NAT. You will need to configure a one-to-one static NAT for it and an access-list to open ports in the ACL.
static (in,out) x.x.x.x y.y.y.y netmask 255.255.255.255
access-list out permit ip any host x.x.x.x range 50000 65500
where x.x.x.x is a public IP given to you by the ISP.
Hope this helps!
Regards,
Anu
P.S. Please mark the question as resolved if it has been answered. Do rate helpful posts.
06-07-2011 06:12 AM
Anu,
Thanks for the response, I kind of knew that we couldn't do that, since I couldn't find any way of actually configuring it. I can't use an ACL to allow the ports, due to the problem that the external IP is the same, and the internal IP changes based on the port that is used, so it's more of a static PAT.
But thanks for the input...
- Sami
06-07-2011 06:15 AM
This can be accomplished easily using the NAT syntax of ASA version 8.3 or greater:
object network obj-10.10.10.1
host 10.10.10.1
object network obj-10.10.10.2
host 10.10.10.2
object network obj-10.10.10.3
host 10.10.10.3
object network obj-1.1.1.20
host 1.1.1.20
!
object service obj-serviceUDP9000
service udp source eq 9000
object service obj-serviceUDP50000-65500
service udp source range 50000 65500
!
nat (inside,outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000
nat (inside,outside) source static obj-10.10.10.2 obj-1.1.1.20 service obj-serviceUDP50000-65500 obj-serviceUDP50000-65500
nat (inside,outside) source static obj-10.10.10.3 obj-1.1.1.20
ASA(config)# show nat detail
.......
4 (inside) to (outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.1/32, Translated: 1.1.1.20/32
Service - Origin: udp source eq 9000 , Translated: udp source eq 9000
5 (inside) to (outside) source static obj-10.10.10.2 obj-1.1.1.20 service obj-serviceUDP50000-65500 obj-serviceUDP50000-65500
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.2/32, Translated: 1.1.1.20/32
Service - Origin: udp source range 50000 65500 , Translated: udp source range 50000 65500
6 (inside) to (outside) source static obj-10.10.10.3 obj-1.1.1.20
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.3/32, Translated: 1.1.1.20/32
ASA# packet-tracer input outside udp 4.4.4.4 48483 1.1.1.20 9000
......
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.20/9000 to 10.10.10.1/9000
......
ASA# packet-tracer input outside udp 4.4.4.4 48483 1.1.1.20 50032
......
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.10.10.2 obj-1.1.1.20 service obj-serviceUDP50000-65500 obj-serviceUDP50000-65500
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.20/50032 to 10.10.10.2/50032
....
06-07-2011 06:25 AM
Jay,
Thank you for the response, i really haven't had any exposure to 8.3 yet, but I have enough memory in the ASA to upgrade. I will give it a test and see if that works out, it does seems like it should.
Thanks,
Sami
06-07-2011 06:27 AM
Sami,
Yep, it should work with no problems. For more information about version 8.3 and the upgrade process, see this page that David wrote:
ASA 8.3 Upgrade - What You Need to Know
https://supportforums.cisco.com/docs/DOC-12690
Also linked on that page are some introduction to 8.3 NAT videos that we've done.
- Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide