ASA 5505 forward range of ports

Unanswered Question
Jan 25th, 2010


I need to forward 10000 UDP ports to inside host. I only have 1 address outside so I can't use NAT and access list.

How can I accomplish that without typing static command 10000 times ?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Panos Kampanakis Mon, 01/25/2010 - 14:28

There is no other way to do it.

1-1 PAT is your only option.

The reason is that the ASA will not be able to guess what ports to dynamically PAT and what to keep intact.

I hope it makes sense.


Kureli Sankar Mon, 01/25/2010 - 18:23

You are correct you need to add 10,000 static pat lines.

You can use a script to create them and then tftp the file to the firewall.


walank2004 Mon, 01/25/2010 - 18:48

OK - It's not a problem to use text processor and prepare 10000 commands but HOW would that affect performance of ASA ?

Kureli Sankar Mon, 01/25/2010 - 19:55

Good question.

"The max config size is limited by the size of flash.  The 525 and 535
have a 16 MB Flash card.  The 7.2 image is 8.2 MB.  The ASDM image is
5.5 MB  This leaves a little over 2 megs for all configs.  This includes
system and all context configs.

The ASA has an internal and external compact flash slot, so your config
sizes can be much larger."

We have seen cpu spike issues with larger config files (about 3 MB). These were due to huge ACE and not static lines that
you are talking about so you should be fine. Good luck.



This Discussion