06-05-2015 08:57 AM - edited 03-11-2019 11:03 PM
I have an old PIX 506e that I am replacing out with an ASA5510, and I'm having some issues on the conversion statements. I have IP Phones that come in from the outside world and get converted to an inside address and a port number ranging from 10021 - 10083. Each access-list and Static nat has one separate line for each port number which makes it extremely bloaty on top of confusing.
Here is what I have:
PIX -> access-list PHONES permit udp any any eq 10021
to
access-list PHONES permit udp any any eq 10083
static (inside,outside) upd interface 10021 10.10.1.4 10021 netmask 255.255.255.255 0 0
to
static (inside,outside) upd interface 10083 10.10.1.4 10021 netmask 255.255.255.255 0 0
What I would like to do is use ranges in network objects if it is possible: Does anyone have an example or a way that this can be done that they would be willing to share with me? I need the object statement, Access-list statement and the NAT.
I think I can use this statement for the port numbers, please correct if wrong:
object service obj-IPphone-Ports
service upd source range 10021 10083
Thanks
--Jon
Solved! Go to Solution.
06-08-2015 07:04 AM
Hi ,
The NAT statement needs to change. You cannot use a One-One Static NAT. Instead , you have to use Port Forwarding using the object:-
nat (inside,outside) source static IP-Phones interface service obj-IPphone-Ports obj-IPphone-Ports
ACL is correct.
Thanks and Regards,
Vibhor Amrodia
06-05-2015 07:02 PM
Hi,
The Object seems to be correct. You can use this directly in the NAT statement and also in the ACL.
Thanks and Regards,
Vibhor Amrodia
06-08-2015 06:43 AM
Vibhor,
What about the Access-list and NAT statements? would the following be correct? This would condence it down from 100 plus statements down to 2 if it is correct and usable.
The IP-Phones is the inside address of the PBX switch I am routing it to.
access-list inside_out_in permit object obj-IPphone-Ports any IP-Phones
nat (inside,outside) source static IP-Phones interface
access-group inside_out_in in interface outside
-Jon
06-08-2015 07:04 AM
Hi ,
The NAT statement needs to change. You cannot use a One-One Static NAT. Instead , you have to use Port Forwarding using the object:-
nat (inside,outside) source static IP-Phones interface service obj-IPphone-Ports obj-IPphone-Ports
ACL is correct.
Thanks and Regards,
Vibhor Amrodia
06-08-2015 07:12 AM
Thank you Vibhor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide