IOS FW inbound static PAT range possible?

dino55088 · ‎10-28-2018

Hi I have to create connectivity for an external phone system say port 50000-51000 UDP from outside to a single host inside.

I would like to map the whole UDP port range range from outside (hitting the external interface) to inside (pabx host 192.168.10.10) keeping udp dest ports consistent eg dest port 50000 coming in to external ios fw interface to PAT to 192.168.10.10 dest port udp 50000

Without having to do each individual PAT statement or get a separate public IP address, is this possible?

Francesco Molino · ‎10-28-2018

Hi

Yes on asa this is possible.

Let's assume your outside name is outside and acl attached to it called outside_access_in

Here a config sample (sorry if there are some typos, I'm writing this down from my smartphone):

object service PABX-UDP

service udp destination range 50000 51000

!

object network PABX

host 192.168.0.10

!

access-list outside_access_in extended permit object PABX-UDP any object-group PABX

nat (inside,outside) source static PABX 1.1.1.1 service PABX-UDP PABX-UDP

==> Replace 1.1.1.1 by your public ip or your object containing the public ip.

Afterwards, everything should work. Be sure to put the nat at the right place to not have something overlapping.

Do a test and let me know.

[EDIT]

I saw in the title you were talking about udp range on ios.

You can use route-map or an easier one like below:

ip nat pool PABX-UDP 192.168.0.50 192.168.0.10 netmask 255.255.255.0 type rotary

!

access-list 111 permit udp any any range 50000 51000

!

ip nat inside destination list 111 pool PABX-UDP

You need to adapt with your actual config of any other Nat exists.

Here an example with route-map:

https://community.cisco.com/t5/routing/forward-range-ports-for-few-hosts-in-isr4331/td-p/3316899

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question