12-04-2011 08:40 AM - edited 03-11-2019 02:59 PM
Hi,
I have an ASA 8.4 with this scenario:
My Video conference LAN- IP 192.168.1.10 /24 -------- My wan 1.1.1.1 /29
Supose that i have to configure the IP 192.168.1.10 to use the IP 1.1.1.2 / 29 , to external world acess my video conference, how can i create a NAT using the follow ports?
object-group service VIDEO_CONF_PORTS
service-object tcp destination range ftp telnet
service-object tcp destination range 1718 1719
service-object tcp destination eq sip
service-object tcp destination eq h323
service-object udp destination range 2326 2485
service-object tcp destination range 1718 h323
service-object tcp destination eq www
Tks
Solved! Go to Solution.
12-04-2011 03:15 PM
Hello Thiago
Great to hear that I have understood your request. Now you will need to create a object service for each port you need to translate.
For example:
lets discuss the the Port range from ftp to telnet
Object service Test1
service tcp source range ftp telnet
Now lets create the http service object
Object service HTTP_80
service tcp source eq 80
You will need to do the same thing with all the ports you need to allow inbound connection.
Now the nat statements:
nat (inside,outside) source static Video_Lan Outside_Ip service Test1 Test1
nat (inside,outside) source static Video_Lan Outside_Ip service HTTP_80 HTTP_80
Note: Here is the thing you can create a object group service with all the ports you need for the ACL.
Object-group service All_the_ports_in
port-object eq ftp
port-object eq http
and keep going....
Then just add the ACL :
access-list outside_in permit tcp any host Video_Lan object-group All_the_ports_in
Please rate helpful posts...
Julio!!!
12-04-2011 09:32 AM
Hello Thiago,
So you want the outside users to access 1.1.1.2 and be redirected to 192.168.1.10 on those particular ports right?
So the nat statement would be like this:
Object network Video_Lan
host 192.168.1.10
Object network Outside_Ip
host 1.1.1.2
Object servive Ports_Open
service-object tcp source range ftp telnet
service-object tcp source range 1718 1719
service-object tcp source eq sip
service-object tcp source eq h323
service-object udp sourcerange 2326 2485
service-object tcp source range 1718 h323
service-object tcp source eq www
Nat (inside,outside) source static Video_Lan Outside_Ip service Ports_Open Ports_Open
Remember that you also need the ACL on the outside interface pointing to the real Ip addresses right not to the natted IP addresses in this case pointing to 192.168.1.10 on those particular ports you wrote down.
Your question was not clear enough and based on what I have understood I have answered this question, please let me know if this is what you are looking for, if not please be more specific.
By the way here is one link that will help you when you are setting up some nat statements on 8.3 or prior:
https://supportforums.cisco.com/docs/DOC-9129
Please rate helpful posts.
Julio!!
12-04-2011 01:29 PM
Tks jcarvaja ,
Yes you understood that i need, but when i insert the follow command the ASA says that :
asa(config)# object service test
asa(config-service-object)# ser
asa(config-service-object)# service-
asaf(config-service-object)# service-?
configure mode commands/options:
service-policy
Inside the object service there isn´t the command service-object , just service, if i insert these command :
service tcp source range ftp telnet
service tcp source range ftp telnet
service tcp source range 1718 1719
service tcp source eq sip
service tcp source eq h323
service udp sourcerange 2326 2485
service tcp source range 1718 h323
service tcp source eq www
Asa always keep just the last command, :
asa# show running-config object
object service test
service tcp source eq www
12-04-2011 03:15 PM
Hello Thiago
Great to hear that I have understood your request. Now you will need to create a object service for each port you need to translate.
For example:
lets discuss the the Port range from ftp to telnet
Object service Test1
service tcp source range ftp telnet
Now lets create the http service object
Object service HTTP_80
service tcp source eq 80
You will need to do the same thing with all the ports you need to allow inbound connection.
Now the nat statements:
nat (inside,outside) source static Video_Lan Outside_Ip service Test1 Test1
nat (inside,outside) source static Video_Lan Outside_Ip service HTTP_80 HTTP_80
Note: Here is the thing you can create a object group service with all the ports you need for the ACL.
Object-group service All_the_ports_in
port-object eq ftp
port-object eq http
and keep going....
Then just add the ACL :
access-list outside_in permit tcp any host Video_Lan object-group All_the_ports_in
Please rate helpful posts...
Julio!!!
12-07-2011 01:28 PM
Tks, Worked !
But there is no way to apply the all ports in one NAT ?
Tks
12-07-2011 02:17 PM
Hello Thiago,
I am glad it worked, I have tried on my lab and the result was unsuccesful ( It did not allow me to use an object-group service on the nat) so you will need to do it one by one.
Regards,
Please rate helpful posts
Julio
12-08-2011 06:17 AM
Ok
TkS!
03-01-2012 12:47 AM
hi jcarvaja
can you advise why there is "source" key word defined in object service ?
service tcp source range ftp telnet
i'm confusing the different between "source" and "destination"
thanks a lot !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide