Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2554
Views
0
Helpful
3
Replies

Static (inside,outside) with port range

parsonsproject2
Level 1
Level 1

‎05-03-2011 09:20 AM - edited ‎03-11-2019 01:28 PM

Anything coming in on these ports should be redirected to 10.10.10.12, NAT Ip is 60.60.60.152. ASA 7.2 code.

object-group service voip udp
port-object range 5060 5090
port-object range 10000 20000
port-object range 8000 8200

I can see how to do this with single ports, ie:

static (inside,outside) udp 60.60.60.152 5060 10.10.10.12 5060
static (inside,outside) udp 60.60.60.152 10000 10.10.10.12 10000
static (inside,outside) udp 60.60.60.152 8000 10.10.10.12 8000

But it won't let me do a range of ports, or use an object group with that static command. Is this correct for trying to accomplish that?

//Create acl for static NAT
access-list acl_voip extended permit udp any host 60.60.60.152 object-group voip
access-list acl_voip extended permit udp host 10.10.10.12 any object-group voip

//Static NAT
static (vlan106,outside)  60.60.60.152 access-list acl_voip

//Add rule to allow traffic

access-list in_int_outside extended permit udp any host 60.60.60.152 object-group voip

Thanks,

Labels:
0 Helpful
3 Replies 3

manish arora
Level 6
Level 6

‎05-03-2011 09:50 AM

I think you are better off using one to one NAT in this senario , i don't think that you can do Port Range in port redirection NAT. So, if the 60.60.60.152 ip address is not being used by the interface or any other nat statement then just following commands will do it :-

object-group service voip udp
port-object range 5060 5090
port-object range 10000 20000
port-object range 8000 8200

static (vlan106,outside)  60.60.60.152  10.10.10.12 netmask 255.255.255.255

access-list in_int_outside extended permit udp any host 60.60.60.152 object-group voip

Manish

0 Helpful

parsonsproject2
Level 1
Level 1
In response to manish arora

‎05-03-2011 12:15 PM

Thanks for the reply, yes unforunately that address is already used in another static NAT.

I know there is syntax for static(inside,outside) x.x.x.x access-list acl_xyz, I'm just not sure if that can be used to redirect a group of ports to an inside host

0 Helpful

manish arora
Level 6
Level 6
In response to parsonsproject2

‎05-03-2011 12:28 PM

with access-list nat is more for Policy based NAT , but I still don't think there is a way of using port range in Static Pat. I don't have access to any Test ASA as of right now , but I would like to try :-

static (inside,outside) udp 60.x.x.x 0 10.10.x.x  0

and see if it can translate all UDP packets coming on that public ip to the inside address.

But then again , I have never used this and not sure. so please use a test device for this.

Manish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card