09-18-2017 02:01 AM - edited 03-08-2019 12:04 PM
Hi There,
I am running a Cisco ASA 5512-x version 9.4
Is there a way to port forward a bunch of ports from specific external IP address to one of my internal IP addresses.
What I currently have is a lot of network objects, all with the same host, each with its out NAT configuration.
As you will see below it is quite cumbersome.
what I am trying to achieve is for our SIP service to access our network on a different external IP address:
internal phone server: 192.168.10.10
Our External: 1.1.1.1
External Provider: 3.3.3.3
external Phone IP: 2.2.2.2 (a company that also manages the phone system)
and we will be having some IP phones access the phone server from the internet.
Therefore we would need lots of ports open, and a few ranges.
I have only found a way to open 1 port at a time, and one of the ranges is over 1000 ports long..
object network PhoneServer8085
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 80 8085
object network PhoneServer20001
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20001 20001
object network PhoneServer20002
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20002 20002
object network PhoneServer20003
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20003 20003
object network PhoneServer20005
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20005 20005
object network PhoneServer20006
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20006 20006
object network PhoneServer5432
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 5432 5432
object network PhoneServer506020200
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 20200 5060
object network PhoneServer20200
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 20200 20200
object network PhoneServer449
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 449 449
object network PhoneServer
host 192.168.0.10
object network PhoneServer20200tcp
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service tcp 20200 20200
object network PhoneServer52002
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52002 52002
object network PhoneServer52003
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52003 52003
object network PhoneServer52004
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52004 52004
object network PhoneServer52005
host 192.168.0.10
nat (inside,outside) static 1.1.1.1 service udp 52005 52005
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer449
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer8085
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20001
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20002
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20003
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20005
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20006
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer5432
access-list outside_in extended permit udp 3.3.3.3 255.255.255.255 object PhoneServer506020200
access-list outside_in extended permit udp 3.3.3.3 255.255.255.255 object PhoneServer20200
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer range 52000 53024
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer eq 5060
access-list outside_in extended permit tcp 2.2.2.2 255.255.255.255 object PhoneServer20200tcp
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52002
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52003
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52004
access-list outside_in extended permit udp 2.2.2.2 255.255.255.255 object PhoneServer52005
Any help would be appreciated.
Thanks,
-Tim
09-18-2017 04:24 AM - edited 09-18-2017 04:39 AM
Hi,
The following link could be useful.
https://www.petenetlive.com/KB/Article/0001111
Or try the following:
object network PUBLIC
host 1.1.1.1
object service TEST-VOICE
service tcp source range 20000 65535 destination range 20000 65535
object network VOICE-SERVER
host 192.168.0.10
nat (INSIDE,OUTSIDE) source static PUBLIC PUBLIC service TEST-VOICE TEST-VOICE
For the ACLs you could use something like:
object-group service TEST tcp-udp
port-object eq www
port-object eq 5021
port-object range 20005 20006
port-object eq 5432
Hope it is useful
:-)
09-18-2017 08:21 AM
Hi Julio,
Thanks for your response, the other issue is that we have multiple external IP addresses, and these ports will need to present on not my outbound IP, but on this other IP...
i.e.: normal outbound: 7.7.7.7
external phone server ip: 7.7.7.8
and so anything on port 52007 hitting 7.7.7.8 goes to the internal server on the same port.
and also the same internal server needs to send as this same ip 7.7.7.8 and not the normal external IP address..
That I can see from your example there is no way of specifing the external IP address.
Does that make sense?
Thanks,
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide