cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13470
Views
4
Helpful
19
Replies

how to configure a NAT port range on ASA 5510

dino-chirico
Level 1
Level 1

                  hi,

i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999

19 Replies 19

dino-chirico
Level 1
Level 1

Hmm is there any other way of doing this?

Hi Dino,

what version are you using? It should be possible with 8.3 or higher codes.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi

I'm using 8.4. How do I do it?

Hi Dino,

Plz explain your requirement first.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Ok I have rtp udp ports 50000 - 59999 to be nat from public to my private Lync server.

Hi Dino,

You need to configure something like this:

object service udp_ports

  service tcp destination range 50000 50009

nat (outside,inside) source static any any destination static public_ip private_ip service udp_ports udp_ports

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi varun

Ok I did do the first part but couldn't do the second through asdm. I will try through cli.

Will try it tonight.

Thanks

Sure, let me know how it goes

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

I am using ASA 8.2(5) 5505 and wants UDP ports forwarding range 36,000 to 59,999.

please advise which commands to config and apply.

thank you a lot. 

Hi Rizwan,

We can not create static NAT for range of ports in 8.2 version, Need to write multiple Statements or perform a Static one-to-one NAT.. This can be done in versions above 8.3 where there is change in the configuration of the NAT. 

Please refer "Static NAT for a Range of Ports" section

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

You can create a static NAT in 8.2 and permit only the set of ports using the access list to allow it. 

For example

static (inside,outside) <public IP> <Private IP> netmask 255.255.255.255

Now create access list for thsi traffic.

access-list outside_in extended permit udp any host <public IP> range 36000 59999

access-group outside_in in interface outside

Or you can upgrade the device to version above 8.3.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi Shivapramod,

Thank you for the reply.

I will definitely upgrade to 8.3 or above to support range command because i can't add long list of commands in ASA.

Please advise commands for 8.3 or above to define UDP port ranges.

thank you so much.

Hi,

Please refer the document which was mentioned in the last comment.

Please refer "Static NAT for a Range of Ports" section

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Please remember to rate helpful posts

Thanks,

Hi,

I tried to enter the service group but it didn’t like destination.. is it a command that came later in IOS? I have version Cisco Adaptive Security Appliance Software Version 8.2(5) , Device Manager Version 6.4(5)

SA01(config)# object service Lync_RTP_UDP

ASA01(config-service)# service udp destination range 50000 50009

^

ERROR: % Invalid input detected at '^' marker.

ASA01(config-service)# object service Lync_RTP_TCP

ASA01(config-service)# service tcp destination range 50000 50009

^

ERROR: % Invalid input detected at '^' marker

Thanks

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

Hi,

I ended up doing this

object-group service Lync_RTP_UDP

service-object udp range 50000 59999

object-group service Lync_RTP_TCP

service-object tcp range 50000 59999

but I still can’t do the static nat

static (Lync_Ext,Internet_AAPT) udp x.x.x.x then I can’t refer to Lync_RTP_UDP

any other ideas?

thanks

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: