ASA and multiple ports to one internal IP

Unanswered Question
Apr 2nd, 2008
User Badges:

Hello all,

I am hoping this is an easy one.

I know that I can port forward one at a time to an internal IP, but what I am wanting to do is forward ports 10000 through 20000 to an internal IP.

Call me crazy but it will get really boring/confusing/tiring to add 10000 PATs as opposed to one simple line that does them all.

So can someone give it to me straight, I promise I'll take it like a mature adult! :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
abinjola Wed, 04/02/2008 - 07:19
User Badges:
  • Cisco Employee,

well you can add 1-1 static ,

static (inside,outside) x.x.x.x y.y.y.y and open ports in Access-list

there is no way to do it via port forwarding

cisco24x7 Wed, 04/02/2008 - 07:27
User Badges:
  • Silver, 250 points or more

Can it be done with Pix or ASA? No

Can it be done with Checkpoint or Juniper? Yes

dirkmelvin Wed, 04/02/2008 - 08:07
User Badges:

I only have one IP (and it is DHCP) from ISP.

So I only will be able to PAT and not NAT for my purposes.

I have one server that is WWW, FTP, and shoutcast, and a different server that is VoIP, and yet another server for a couple of other purposes. I need to be able to forward multiple ports to each machine, of course the ports are different for each machine.

dirkmelvin Thu, 04/03/2008 - 10:39
User Badges:

Ok let's try a different approach...

On the ASA, I am getting a DHCP address from my ISP.

I need people on the outside world to be able to get FTP, WWW, SIP, etc. on various servers I have on the inside of my ASA.

Is there a way to say:

for all WWW (port 80 and 8080), FTP (port 21) traffic go to with just one line, or do I have to make a 'static' entry for each port?

As for my trixbox setup it uses, of course, the SIP port, but from what I have read it also wants ports 10000 through 20000 opened. So can I have on line saying if you hit my outside IP on any port from 10000 to 20000 go to trixbox, or am I going to have to have 10000 lines for this purpose?


static (inside,outside) tcp interface 10000 10000 netmask

static (inside,outside) tcp interface 10001 10001 netmask

static (inside,outside) tcp interface 10002 10002 netmask

static (inside,outside) tcp interface 10003 10003 netmask

static (inside,outside) tcp interface 10004 10004 netmask

static (inside,outside) tcp interface 10005 10005 netmask

static (inside,outside) tcp interface 10006 10006 netmask

static (inside,outside) tcp interface 10007 10007 netmask

static (inside,outside) tcp interface 10008 10008 netmask

static (inside,outside) tcp interface 10009 10009 netmask

static (inside,outside) tcp interface 10010 10010 netmask

static (inside,outside) tcp interface 10011 10011 netmask


This Discussion