08-20-2012 01:15 PM - edited 03-11-2019 04:44 PM
Hello everyone,
I am trying to set up a Cisco ASA 5510 running 8.2 to allow a connection to a Polycom camera that sits behind it. What I want to do is forward multiple ports to allow a connection from an outside office. The polycom camera uses the following ports:
1720 tcp
3230-3235 tcp
3230-3253 udp
I got these port numbers from the Polycom web site. So what I did was create a service object as follows:
object-group service All-Polycom-ports service-object tcp range 3230 3235 service-object tcp eq h323 service-object udp range 3230 3253
My question is how can I use this service object in a static (inside,outside) command so that I don't have to create multiple commands for the port forwarding. Is this even possible or do I have to sit down and write out around 30 seperate commands to do this. I've been searching the web and it seems a lot of people want to do this but so far I haven't found an answer.
Any help or suggestions would be greatly appreciated and thanks in advance.
P.S. I'm no expert when it comes to the ASA
Solved! Go to Solution.
08-20-2012 04:48 PM
Hello,
They created this because we can use it on the ACL configuration ( just one line instead of a bunch of them)
Why not on the NAT? I do not know but is sounds fair to me that if you want to nat 1550 ports as an example, why don't you nat the whole Ip address instead of just those ports.
Glad I could help,
Mark the question as answered if there is not other question I can answer from you,
Julio
08-20-2012 04:18 PM
Hello,
For NAT on 8.2 you will need to do it one by one ( so it will mean use a static one to one to make it easier)
Now beginning at 8.3 you can start using object-group for services that you could use to perform the nat translation you are looking for.
Regards,
Julio
08-20-2012 04:27 PM
Julio,
Thanks for the reply although that's not what I wanted to hear
Do you know why they would even allow you to create the service groups in 8.2 if you can't use them with NAT? Seems crazy but it is what it is. Thanks for your help.
Louis
08-20-2012 04:48 PM
Hello,
They created this because we can use it on the ACL configuration ( just one line instead of a bunch of them)
Why not on the NAT? I do not know but is sounds fair to me that if you want to nat 1550 ports as an example, why don't you nat the whole Ip address instead of just those ports.
Glad I could help,
Mark the question as answered if there is not other question I can answer from you,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide