How do you create a static NAT for a range of ports on a ASA 5510 with IOS 8.2

Unanswered Question
Sep 29th, 2010

How do you create a static NAT for a range of ports on a ASA 5510 with IOS 8.2?

I need to forward ports 10000-20000 for RTP for remote access to our VoIP system.

I found some articles but the commands are very outdated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 09/29/2010 - 12:19

You can't in that version. You would have to do a 1-1 NAT. I believe 8.3 can so you may want to upgrade.

Hope it helps.

Collin Clark Wed, 09/29/2010 - 12:31

I've had pretty good luck with 8.3, but all of my firewalls that are running 8.3 are not doing any NAT. Looking at the config guide, the

whole new NAT and ACL configuration looks a little weird to me.

Nagaraja Thanthry Wed, 09/29/2010 - 18:27


Unfortunately, Pre-8.3 code does not have a way of mapping multiple outside ports to corresponding inside ports in a single statement. However, if you upgrade to 8.3, it can map multiple outside ports (a range) to corresponding ports on the inside.

object service test

service tcp source range 20 50

object network outside_ip


object network inside_ip


nat (inside,outside) source static inside_ip outside_ip service test test

If you want to do it on Pre-8.3 (8.2 and earlier), then either you need to use multiple statements or you need to map the entire IP (1-1 NAT).

Hope this helps.



Nagaraja Thanthry Wed, 09/29/2010 - 19:54


If you have an unused public IP, then you can use the following template:

static (inside,outside) netmask

Then, you use access-list on the outside interface to allow specific ports (or port range).

access-list outside_access_in permit tcp any host range

access-group outside_access_in in interface outside

Hope this helps.




This Discussion