oh, that is complicated, we

fly · ‎08-26-2015

Dear Sir/Madam,

I want to limit dynamic PAT port range like below

global (outside) 4 10.16.1.16 netmask 255.255.255.255
nat (inside) 4 access-list test

I want to use 10.16.1.16 port from 10000 to 60000. or i just don't want to use port 30001.

But i haven't find method?

thank you!

Tom

Marius Gunnerud · ‎08-26-2015

You could do something like the following:

object network NAT-IP
host 10.16.1.16

object network LAN
subnet 11.11.11.0 255.255.255.0

object network REMOTE-NET
subnet 12.12.12.0 255.255.255.0

object service PORT-RANGE
service tcp destination range 10000 60000

nat (inside,outside) source dynamic LAN NAT-IP destination static REMOTE-NET REMOTE-NET service PORT-RANGE PORT-RANGE

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

fly · ‎08-26-2015

Hi marius

Thank you I will try it

can I add multiple entries under object service PORT-RANGE

Tom

Marius Gunnerud · ‎08-27-2015

No, you can not have multiple entries under object service PORT-RANGE. To have multiple services under one object you need to create an object-group, but NAT does not support object groups so you will need to create individual NAT statements for any other ports.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

fly · ‎08-27-2015

oh, that is complicated, we want to kick out just only one port 16000 from 1-65535 port range.

that means we can't user port number 16000 within port range 1-65535?

if we can only config one permit port range from 1-15999, how can I config another permit range 16001-65535?

thank you!

Tom

How can I limit port range for dynamic PAT?