03-12-2011 04:18 PM - edited 03-11-2019 01:05 PM
I have an ASA 5505 running 8.4(1), and I'm configuring it with ASDM 6.4(1). The outside interface is configured with a single static address. I have a few services port forwarded sucessfully to three different servers on the inside network.
I need to make a media proxy on a SIP server available to the outside. It requires a large range of forwarded UDP ports for the media channels.
I tried adding a network object NAT rule like the others I'm already using to forward HTTP and RDP. I entered a range of ports for the real port and the mapped port using the syntax 60000-60999. ASDM accepted it, but the NAT rule list displays "Any" in the service column. When I apply the change, I get the following error:
nat (inside,outside) static interface service tcp 60000-60999 60000-60999
^
ERROR: % Invalid input detected at '^' marker.
How do I forward a large range of UDP ports from the outside interface to a single server on my inside network? I'd like to use ASDM, but I can switch to the CLI if that works better.
Thanks,
Alan
03-12-2011 06:35 PM
Hi Alan
We can not forward range of ports to a range of ports on ASA. Port forwarding has to be one-to-one.
For example,
- Pre-8.3
static(inside,outside) tcp y.y.y.y 80 x.x.x.x 80
- 8.3 or higher
object network obj-name1
host x.x.x.x
nat (inside,outside) static y.y.y.y service tcp 80 80
You can use static NAT rather than using port forwarding with free public IP.
Hope this helps. Please reply back if you need any further assistance.
Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.
03-12-2011 06:49 PM
By "free public IP", you mean I need a second public IP on the outside interface? In this scenario I would static NAT the new IP to the SIP server, so I wouldn't need to do any port forwarding, correct?
03-12-2011 09:25 PM
Yes Alan. You will have to do a static NAT the SIP server with the new IP.
Please mark this post answered for others to refer the same in future.
Regards,
Chirag
08-23-2013 04:10 PM
Chirag Saxena wrote:
Hi Alan
We can not forward range of ports to a range of ports on ASA. Port forwarding has to be one-to-one.
That is insane... a VOIP provider wants 500 UDP ports forwarded to a VOIP server inside a network. That means 1500 lines of code. Is there now a fix or workaround to this?
-Chris
08-23-2013 09:04 PM
Hi Alan,
After version 8.3 the Nat is more flexible.
You can configure an object service and apply this to the Nat.
On this way you configure just one line for the Nat.
Also remember to open the ports on the ACL that you have applied to the outside interface.
For example:
You have an internal server"10.10.10.10"
object service UDP-PORTS
service udp source range 60000 60999
exit
object network obj-10.10.10.10
host 10.10.10.10
exit
nat (inside,outside) source static obj-10.10.10.10 interface service UDP-PORTS UDP-PORTS
Please rate helpful posts.
Regards,
Harvey
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide