Showing results for 
Search instead for 
Did you mean: 

IOS FW inbound static PAT range possible?

Level 1
Level 1

Hi I have to create connectivity for an external phone system say port 50000-51000 UDP from outside to a single host inside.


I would like to map the whole UDP port range  range from outside (hitting the external interface) to inside (pabx host keeping udp dest ports consistent eg dest port 50000  coming in to external ios fw interface  to PAT to dest port udp 50000


Without having to do each individual PAT statement or get a separate public IP address, is this possible?

1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni



Yes on asa this is possible.

Let's assume your outside name is outside and acl attached to it called outside_access_in


Here a config sample (sorry if there are some typos, I'm writing this down from my smartphone):


object service PABX-UDP

 service udp destination range 50000 51000


object network PABX



access-list outside_access_in extended permit object PABX-UDP any object-group PABX


nat (inside,outside) source static PABX service PABX-UDP PABX-UDP

==> Replace by your public ip or your object containing the public ip.


Afterwards, everything should work. Be sure to put the nat at the right place to not have something overlapping.


Do a test and let me know.



I saw in the title you were talking about udp range on ios.

You can use route-map or an easier one like below:


ip nat pool PABX-UDP netmask type rotary


access-list 111 permit udp any any range 50000 51000


ip nat inside destination list 111 pool PABX-UDP


You need to adapt with your actual config of any other Nat exists.


Here an example with route-map:

PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card