Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
4
Replies

PIX 506 to ASA conversion

Go to solution
JonRM1970
Level 1
Level 1

‎06-05-2015 08:57 AM - edited ‎03-11-2019 11:03 PM

I have an old PIX 506e that I am replacing out with an ASA5510, and I'm having some issues on the conversion statements.  I have IP Phones that come in from the outside world and get converted to an inside address and a port number ranging from 10021 - 10083. Each access-list and Static nat has one separate line for each port number which makes it extremely bloaty on top of confusing.

 

 

Here is what I have:

 PIX -> access-list PHONES permit udp any any eq 10021

                                    to

            access-list PHONES permit udp any any eq 10083

 

            static (inside,outside) upd interface 10021 10.10.1.4 10021 netmask 255.255.255.255 0 0

                                     to

            static (inside,outside) upd interface 10083 10.10.1.4 10021 netmask 255.255.255.255 0 0

 

 

What I would like to do is use ranges in network objects if it is possible:  Does anyone have an example or a way that this can be done that they would be willing to share with me? I need the object statement, Access-list statement and the NAT.

I think I can use this statement for the port numbers, please correct if wrong:

      object service obj-IPphone-Ports
        service upd source range 10021 10083

 

 

 

Thanks

--Jon

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to JonRM1970

‎06-08-2015 07:04 AM

Hi ,

The NAT statement needs to change. You cannot use a One-One Static NAT. Instead , you have to use Port Forwarding using the object:-

nat (inside,outside) source static IP-Phones interface service obj-IPphone-Ports obj-IPphone-Ports

ACL is correct.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎06-05-2015 07:02 PM

Hi,

The Object seems to be correct. You can use this directly in the NAT statement and also in the ACL.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
JonRM1970
Level 1
Level 1
In response to Vibhor Amrodia

‎06-08-2015 06:43 AM

Vibhor,

 What about the Access-list and NAT statements? would the following be correct? This would condence it down from 100 plus statements down to 2 if it is correct and usable.

The IP-Phones is the inside address of the PBX switch I am routing it to.

 

access-list inside_out_in permit object obj-IPphone-Ports any IP-Phones

nat (inside,outside) source static IP-Phones interface

access-group inside_out_in in interface outside

 

-Jon

 

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to JonRM1970

‎06-08-2015 07:04 AM

Hi ,

The NAT statement needs to change. You cannot use a One-One Static NAT. Instead , you have to use Port Forwarding using the object:-

nat (inside,outside) source static IP-Phones interface service obj-IPphone-Ports obj-IPphone-Ports

ACL is correct.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
JonRM1970
Level 1
Level 1
In response to Vibhor Amrodia

‎06-08-2015 07:12 AM

Thank you Vibhor.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card