Solved: Hi Karthik,Sorry for the

Phil Smith · ‎08-07-2014

Hi,

I need to configure an ASA with PAT/NAT as follows:

External IP: w.w.w.w

Server 1 Internal IP: a.a.a.a

Server 2 Internal IP: b.b.b.b

Ports:

Server 1 TCP: 22, 5222, 8080, 8443-8444

UDP: 5222, 8080, 8444

Server 2 TCP: 80, 1710-1730, 6060-6070

UDP: 80, 6060-6070, 45000-64000

Can anyone please explain how to do this, as everything I have tried so far has failed.

I have tried creating individual Network Object definitions for each port needed, which works,

but it doesn't allow me to enter port ranges i.e. 6060-6070.

I could do individual definitions for the small ranges, but can't figure out how to do the same for the large range.

Thanks

nkarthikeyan · ‎08-07-2014

Hi Smith,

Please check and let me know about the result. No issues!!!

Regards

Karthik

View solution in original post

nkarthikeyan · ‎08-07-2014

Hi Smith,

Can you try like the below for your requirement?

Examples

The following example shows the use of static interface NAT with port translation. Hosts on the outside access an FTP server on the inside by connecting to the outside interface IP address with destination port 65000 through 65004. The traffic is untranslated to the internal FTP server at 192.168.10.100:6500 through :65004. Note that you specify the source port range in the service object (and not the destination port) because you want to translate the source address and port as identified in the command; the destination port is "any." Because static NAT is bidirectional, "source" and "destination" refers primarily to the command keywords; the actual source and destination address and port in a packet depends on which host sent the packet. In this example, connections are originated from outside to inside, so the "source" address and port of the FTP server is actually the destination address and port in the originating packet.

hostname(config)# object service FTP_PASV_PORT_RANGE

hostname(config-service-object)# service tcp source range 65000 65004

hostname(config)# object network HOST_FTP_SERVER

hostname(config-network-object)# host 192.168.10.100

hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface service FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE

Make sure that you use a different object name for every translation you use for individual port wise

Server 1 TCP: 22, 5222, 8080, 8443-8444

UDP: 5222, 8080, 8444

Server 2 TCP: 80, 1710-1730, 6060-6070

UDP: 80, 6060-6070, 45000-64000

So you need to create 13 different object for the real address of servers..... server1 and 2 in total....

service object also needed for port range....

Regards

Karthik

Phil Smith · ‎08-07-2014

I think this may have worked (the packet tracer in ASDM shows it as working), but I won't know until the servers are configured and connected.

Once I know for sure, I will mark the answer as correct.

Many thanks

Phil

nkarthikeyan · ‎08-07-2014

Hi Smith,

Please check and let me know about the result. No issues!!!

Regards

Karthik

Phil Smith · ‎09-19-2014

Hi Karthik,

Sorry for the delay, but yes it solved the problem.

Many Thanks

Regards

Phil

nkarthikeyan · ‎09-19-2014

Hi Phil,

Glad to hear that your problem is resolved.

Regards

Karthik

PAT ASA 8.4(4)

Examples