How do you create a static NAT for a range of ports on a ASA 5510 with IOS 8.2

Unanswered Question
Sep 29th, 2010
User Badges:

How do you create a static NAT for a range of ports on a ASA 5510 with IOS 8.2?


I need to forward ports 10000-20000 for RTP for remote access to our VoIP system.


I found some articles but the commands are very outdated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 09/29/2010 - 12:19
User Badges:
  • Purple, 4500 points or more

You can't in that version. You would have to do a 1-1 NAT. I believe 8.3 can so you may want to upgrade.


Hope it helps.

mundusrector Wed, 09/29/2010 - 12:28
User Badges:

Aww, the dreaded upgrade. That's going to break some things...

Collin Clark Wed, 09/29/2010 - 12:31
User Badges:
  • Purple, 4500 points or more

I've had pretty good luck with 8.3, but all of my firewalls that are running 8.3 are not doing any NAT. Looking at the config guide, the

whole new NAT and ACL configuration looks a little weird to me.

mundusrector Wed, 09/29/2010 - 17:44
User Badges:

There has to be a way. I don't understand how cisco could do that.

Nagaraja Thanthry Wed, 09/29/2010 - 18:27
User Badges:
  • Cisco Employee,

Hello,


Unfortunately, Pre-8.3 code does not have a way of mapping multiple outside ports to corresponding inside ports in a single statement. However, if you upgrade to 8.3, it can map multiple outside ports (a range) to corresponding ports on the inside.


object service test

service tcp source range 20 50


object network outside_ip

host 64.1.1.1


object network inside_ip

host 192.168.1.1

nat (inside,outside) source static inside_ip outside_ip service test test


If you want to do it on Pre-8.3 (8.2 and earlier), then either you need to use multiple statements or you need to map the entire IP (1-1 NAT).


Hope this helps.


Regards,


NT

Nagaraja Thanthry Wed, 09/29/2010 - 19:54
User Badges:
  • Cisco Employee,

Hello,


If you have an unused public IP, then you can use the following template:


static (inside,outside) netmask 255.255.255.255


Then, you use access-list on the outside interface to allow specific ports (or port range).


access-list outside_access_in permit tcp any host range


access-group outside_access_in in interface outside


Hope this helps.


Regards,


NT

Actions

This Discussion