10-04-2010 03:55 AM - edited 03-12-2019 06:00 PM
hi
i would like to do NATTING to allow traffic from my outside interface, with the range of TCP and UDP port, able to perform static NAT to the server reside at inside interface.
Access Rule and Object are create for it (SNIPET)
object-group service TCP-VIDEO-CONF tcp
description TCP port enable for UC
port-object range 2326 2373
port-object range 1719 h323
object-group service UDP-VIDEO-CONF udp
description UDP port enable for UC
port-object range 5555 5599
object network video-conf-server
host 10.10.100.20
access-list outside_remote_access_RDP extended permit tcp any object video-conf-server TCP-VIDEO-CONF
access-list outside_remote_access_RDP extended permit udp any object video-conf-server UDP-VIDEO-CONF
i found out it only able to let me mapped only one port per entries. Can't i just do the static NAT mapped in range?
or any posibble way to NAT in range, using PAT?
thank
NOEL
Solved! Go to Solution.
10-04-2010 07:03 PM
Hi,
Yes even ports should be translated automatically. You should be able to confirm that by running a packet-tracer.
packet-tracer input outside tcp 4.2.2.2 1234
Also, to NAT to the interface IP address, you do not need to create an object. Instead, you will just need to modify the NAT command as below:
nat (inside,outside) source static test1 interface service ports ports
10-04-2010 05:44 AM
Hi,
You should be able to do NAT with a port range. For example, you can do the below:
object network test1
host a.b.c.d
object network test2
host w.x.y.z
object service ports
service tcp source range A B
nat (inside,outside) source static test1 test2 service ports ports
So this maps, a.b.c.d to w.x.y.z on the outside. Let me know if this helps!!
Thanks and Regards,
Prapanch
10-04-2010 06:53 PM
Hi sir, thanks for the reply,
object network test1
host a.b.c.d <-- this can be my video-conf-server?
object network test2
host w.x.y.z <-- i intend to use outside interface, meaning i going to create another new object for my outisde interface?
object service ports
service tcp source range A B
nat (inside,outside) source static test1 test2 service ports ports <-- this is working
So this maps, a.b.c.d to w.x.y.z on the outside.
i highlight my concern in blue color font. i did this config on my dummy device, at least now i can do NAT in port-range..
meaning to say, if my port-range is TCP 1719-1720, so user from public internet, first reach the outside interface, traffic will xlate to the dedicated server IP, according to dedicated port as well ? (example 1719 --> 1719,1720-->1720)
thanks
10-04-2010 07:03 PM
Hi,
Yes even ports should be translated automatically. You should be able to confirm that by running a packet-tracer.
packet-tracer input outside tcp 4.2.2.2 1234
Also, to NAT to the interface IP address, you do not need to create an object. Instead, you will just need to modify the NAT command as below:
nat (inside,outside) source static test1 interface service ports ports
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: