How to port forward multiple ports?

NMBowser · ‎03-08-2021

I have an ASA 5505 and I need to port forward multiple outisde ports to an inside host. I usually do a port forward to a single port with the following, as an example for external access to cameras via cli:

object network CAM_8000
host x.x.x.200 (IP of NVR)
nat (inside,outside) static interface service tcp 8000 8000
access-list outside-in extended permit tcp any host x.x.x.200 eq 8000

So is there a way to port forward multiple ports to one single host? I have about 500 ports I need to port-forward to an internal device, whether it be via ASDM or CLI. Thank you in advance.

balaji.bandi · ‎03-08-2021

here is example : i did for 8000 and 8001, you change the port as per requirement.,

object network in-8000
host x.x.x.200
nat (inside,outside) static x.x.x.x service tcp 8000 8000 ( x.x.x.x external IP or interface )
!
object network in-8001
host x.x.x.200
nat (inside,outside) static x.x.x.x service tcp 8001 8001

access-list outside-in permit tcp any host x.x.x.200 eq 8000
access-list outside-in permit tcp any host x.x.x.200 eq 8001

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NMBowser · ‎03-08-2021

What I am asking is if there is a more efficient way to do this? I have to port forward about 500 ports so this would take a very long time.

balaji.bandi · ‎03-08-2021

There is no other way, you need to add Manually those rules (by grouping them)

Not sure if we understand the requirement, PBX need to register? you need only 1 port for an external device to register?

It is for our PBX. We need to send out some phones to register to a PBX at a remote location, so we want them to go to our public IP and have those ports forwarded to the PBX for registration and call connection.

explain more to understand better

as per my knowledge, you need 5060/5061 for registration and media ports? is the PBX inside or devices?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NMBowser · ‎03-08-2021

Thanks for the reply. From what I understand, the phones need to register to the PBX and use a range of RTP ports in order to connect calls and such and those ports are selected randomly from that port range. Am I mistaken?

balaji.bandi · ‎03-08-2021

Those are high range ports you can use to allow high range port using the port range.

object network PBX-Server

host x.x.x.100

!

object service PBX-Ports

service tcp destination range 8000 80001

!

nat (outside,inside) source static any any destination static interface PBX-Server service PBX-Ports PBX-Ports

!

access-list inbound extended permit tcp any host x.x.x.100 range 8000 8001

access-group inbound in interface outside

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎03-08-2021

Hello
what single host on your network can be open for 500 ports!- apart from being quite unusual it quite dangerous from a security perspective?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

NMBowser · ‎03-08-2021

You'll have to excuse me as I'm pretty new to this whole thing. It is for our PBX. We need to send out some phones to register to a PBX at a remote location, so we want them to go to our public IP and have those ports forwarded to the PBX for registration and call connection.