Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3116
Views
2
Helpful
5
Replies

Configuring static PAT's using port ranges on ASA's

Sami Abunasser
Level 1
Level 1

‎06-07-2011 05:47 AM - edited ‎03-11-2019 01:43 PM

Hi,

I am in the process of replacing all of our checkpoint firewalls with Cisco ASA's. I am curently running into the following problem with configuring static NATs and PATs.

At some of our locations, the external IP's are mapped to internal IP's based on port ranges, and I can't find a way to replicate that on the ASA. Here's an example:

External NAT     External Port                    Internal Host

1.1.1.20               UDP 9000                        10.10.10.1

1.1.1.20               UDP 50000-65500             10.10.10.2

1.1.1.20               ANY                                10.10.10.3 

I could find any way of configuring a static NAT that using the port range (50000-65500), and i'm not about to write 15000 static NAT statements.

Does anyone know how you can use the port range in the static NAT?

Thanks,

Sami

Labels:
0 Helpful
5 Replies 5

Anu M Chacko
Cisco Employee
Cisco Employee

‎06-07-2011 06:07 AM

Hi Sami,

Unfortunately, you cannot configure a range of ports in Static NAT. You will need to configure a one-to-one static NAT for it and an access-list to open ports in the ACL.

static (in,out) x.x.x.x y.y.y.y netmask 255.255.255.255

access-list out permit ip any host x.x.x.x range 50000 65500

where x.x.x.x is a public IP given to you by the ISP.

Hope this helps!

Regards,

Anu

P.S. Please mark the question as resolved if it has been answered. Do rate helpful posts.

0 Helpful

Sami Abunasser
Level 1
Level 1
In response to Anu M Chacko

‎06-07-2011 06:12 AM

Anu,

Thanks for the response, I kind of knew that we couldn't do that, since I couldn't find any way of actually configuring it. I can't use an ACL to allow the ports, due to the problem that the external IP is the same, and the internal IP changes based on the port that is used, so it's more of a static PAT.

But thanks for the input...

- Sami

Jay Johnston
Cisco Employee
Cisco Employee

‎06-07-2011 06:15 AM

This can be accomplished easily using the NAT syntax of ASA version 8.3 or greater:

object network obj-10.10.10.1

   host 10.10.10.1

object network obj-10.10.10.2

   host 10.10.10.2

object network obj-10.10.10.3

   host 10.10.10.3

object network obj-1.1.1.20

   host 1.1.1.20

!

object service obj-serviceUDP9000

    service udp source eq 9000

object service obj-serviceUDP50000-65500

   service udp source range 50000 65500

!

nat (inside,outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000

nat (inside,outside) source static obj-10.10.10.2 obj-1.1.1.20 service obj-serviceUDP50000-65500 obj-serviceUDP50000-65500

nat (inside,outside) source static obj-10.10.10.3 obj-1.1.1.20

ASA(config)# show nat detail

.......

4 (inside) to (outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.1/32, Translated: 1.1.1.20/32

    Service - Origin: udp source eq 9000 , Translated: udp source eq 9000

5 (inside) to (outside) source static obj-10.10.10.2 obj-1.1.1.20 service obj-serviceUDP50000-65500 obj-serviceUDP50000-65500

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.2/32, Translated: 1.1.1.20/32

    Service - Origin: udp source range 50000 65500 , Translated: udp source range 50000 65500

6 (inside) to (outside) source static obj-10.10.10.3 obj-1.1.1.20

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.3/32, Translated: 1.1.1.20/32

ASA# packet-tracer input outside udp 4.4.4.4 48483 1.1.1.20 9000

......

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static obj-10.10.10.1 obj-1.1.1.20 service obj-serviceUDP9000 obj-serviceUDP9000

Additional Information:

NAT divert to egress interface inside

Untranslate 1.1.1.20/9000 to 10.10.10.1/9000

......

ASA# packet-tracer input outside udp 4.4.4.4 48483 1.1.1.20 50032

......

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static obj-10.10.10.2 obj-1.1.1.20 service obj-serviceUDP50000-65500 obj-serviceUDP50000-65500

Additional Information:

NAT divert to egress interface inside

Untranslate 1.1.1.20/50032 to 10.10.10.2/50032

....

0 Helpful

Sami Abunasser
Level 1
Level 1
In response to Jay Johnston

‎06-07-2011 06:25 AM

Jay,

Thank you for the response, i really haven't had any exposure to 8.3 yet, but I have enough memory in the ASA to upgrade. I will give it a test and see if that works out, it does seems like it should.

Thanks,

Sami

0 Helpful

Jay Johnston
Cisco Employee
Cisco Employee
In response to Sami Abunasser

‎06-07-2011 06:27 AM

Sami,

     Yep, it should work with no problems. For more information about version 8.3 and the upgrade process, see this page that David wrote:

ASA 8.3 Upgrade - What You Need to Know

https://supportforums.cisco.com/docs/DOC-12690

Also linked on that page are some introduction to 8.3 NAT videos that we've done.

- Jay

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card