10-15-2013 10:39 PM - edited 03-11-2019 07:52 PM
I have one external ip address of 200.200.200.200. Then i have two different servers. One server is running https and smtp. I'm able to create my acls and static mappings to get that working. Now the second server i have about ALOT of ports (10000 - 65000) i need to forward to it. Making thousands of static entries can't be the answer because the cheapo netgear im replacing the Cisco ASA 5510 with was able to do it in one line.
here is how i mapped the first server
static (inside,outside) tcp interface 3389 192.168.1.1 3390 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.1 https netmask 255.255.255.255
I'm running 8.2.5 now but im open to anything at this point.
10-15-2013 11:16 PM
Hi,
I guess the best situation would be to have a dedicated public IP address for this host for Static NAT instead of Static PAT. Though I imagine you have thought about this and its not possible either because some cost issues or because of the ISP.
To my understanding there has never been an option (until now in the new softwares) to forward a continuous range of ports. So in the current software it seems to me that the only option is a huge amout of Static PAT configurations or a Static NAT with an extra public IP.
You can only forward a continuous range of ports in the software levels 8.3 (and above).
With the jump from 8.2 to 8.3 the ASA got its NAT totally reworked. I imagine you have pretty simple configurations otherwise related to NAT so it wouldnt be such a big jump for you as for others that have large NAT configurations for their companys firewall.
The new NAT format still has its shortcomings and has the problem that you need several NAT configurations still to achieve some things.
I would for example want that we could use "object-group service" as the parameter of NAT configurations but this is not possible yet and I am not sure will it be.
In the new software a Static PAT (Port Forward) for a range of ports could be done with
object service PORT-RANGE
service tcp source range 10000 65000
object network HOST
host 192.168.1.x
nat (inside,outside) source static HOST interface service PORT-RANGE PORT-RANGE
access-list OUTSIDE-IN permit tcp host x.x.x.x object HOST range 10000 65000
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide