cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1729
Views
0
Helpful
5
Replies

Forwarding a range of ports in 8.4

silonet
Level 1
Level 1

I have an ASA 5505 running 8.4(1), and I'm configuring it with ASDM 6.4(1).  The outside interface is configured with a single static address.  I have a few services port forwarded sucessfully to three different servers on the inside network.

I need to make a media proxy on a SIP server available to the outside.  It requires a large range of forwarded UDP ports for the media channels.

I tried adding a network object NAT rule like the others I'm already using to forward HTTP and RDP.  I entered a range of ports for the real port and the mapped port using the syntax 60000-60999.  ASDM accepted it, but the NAT rule list displays "Any" in the service column.  When I apply the change, I get the following error:

nat (inside,outside) static interface service tcp 60000-60999 60000-60999

                                      ^

ERROR: % Invalid input detected at '^' marker.

How do I forward a large range of UDP ports from the outside interface to a single server on my inside network?  I'd like to use ASDM, but I can switch to the CLI if that works better.

Thanks,

Alan

5 Replies 5

csaxena
Cisco Employee
Cisco Employee

Hi Alan

We can not forward range of ports to a range of ports on ASA. Port forwarding has to be one-to-one.

For example,

- Pre-8.3

static(inside,outside) tcp y.y.y.y 80 x.x.x.x 80

- 8.3 or higher

object network obj-name1

host x.x.x.x

nat (inside,outside) static y.y.y.y service tcp 80 80

You can use static NAT rather than using port forwarding with free public IP.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

By "free public IP", you mean I need a second public IP on the outside interface?  In this scenario I would static NAT the new IP to the SIP server, so I wouldn't need to do any port forwarding, correct?

Yes Alan. You will have to do a static NAT the SIP server with the new IP.

Please mark this post answered for others to refer the same in future.

Regards,
Chirag

Chirag Saxena wrote:

Hi Alan

We can not forward range of ports to a range of ports on ASA. Port forwarding has to be one-to-one.

That is insane... a VOIP provider wants 500 UDP ports forwarded to a VOIP server inside a network.  That means 1500 lines of code.  Is there now a fix or workaround to this?

-Chris

Harvey Ortiz
Level 1
Level 1

Hi Alan,

After version 8.3 the Nat is more flexible.

You can configure an object service and apply this to the Nat.

On this way you  configure just one line for the Nat.

Also remember to open the ports on the ACL that you have applied to the outside interface.

For example:

You have an internal server"10.10.10.10"

object service UDP-PORTS

service udp source range 60000 60999

exit

object network obj-10.10.10.10

host 10.10.10.10

exit

nat (inside,outside) source static obj-10.10.10.10 interface service UDP-PORTS UDP-PORTS

Please rate helpful posts.

Regards,

Harvey

Review Cisco Networking for a $25 gift card