cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1753
Views
5
Helpful
3
Replies

ASDM 8.3 Natting with range of port number

yong khang NG
Level 5
Level 5

hi

i would like to do NATTING to allow traffic from my outside interface, with the range of TCP and UDP port, able to perform static NAT to the server reside at inside interface.

Access Rule and Object are create for it (SNIPET)

object-group service TCP-VIDEO-CONF tcp
description TCP port enable for UC
port-object range 2326 2373
port-object range 1719 h323

object-group service UDP-VIDEO-CONF udp
description UDP port enable for UC
port-object range 5555 5599

object network video-conf-server
host 10.10.100.20

access-list outside_remote_access_RDP extended permit tcp any object video-conf-server TCP-VIDEO-CONF

access-list outside_remote_access_RDP extended permit udp any object video-conf-server UDP-VIDEO-CONF


i found out it only able to let me mapped only one port per entries. Can't i just do the static NAT mapped in range?

or any posibble way to NAT in range, using PAT?

thank

NOEL

1 Accepted Solution

Accepted Solutions

Hi,

Yes even ports should be translated  automatically. You should be able to confirm that by running a packet-tracer.

packet-tracer input outside tcp 4.2.2.2 1234 1719 detail

Also, to NAT to the interface IP address, you do not need to create an object. Instead, you will just need to modify the NAT command as below:

nat  (inside,outside) source static test1 interface service ports ports

View solution in original post

3 Replies 3

praprama
Cisco Employee
Cisco Employee

Hi,

You should be able to do NAT with a port range. For example, you can do the below:

object network test1

host a.b.c.d

object network test2

host w.x.y.z

object  service ports

service tcp source range A B

nat  (inside,outside) source static test1 test2 service ports ports

So this maps, a.b.c.d to w.x.y.z on the outside. Let me know if this helps!!

Thanks and Regards,

Prapanch

Hi sir, thanks for the reply,

object network test1

host a.b.c.d <-- this can be my video-conf-server?

object network test2

host w.x.y.z  <-- i intend to use outside interface, meaning i going to create another new object for my outisde interface?

object  service ports

service tcp source range A B

nat  (inside,outside) source static test1 test2 service ports ports   <-- this is working

So this maps, a.b.c.d to w.x.y.z on the outside.

i highlight my concern in blue color font. i did this config on my dummy device, at least now i can do NAT in port-range..

meaning to say, if my port-range is TCP 1719-1720, so user from public internet, first reach the outside interface, traffic will xlate to the dedicated server IP, according to dedicated port as well ? (example 1719 --> 1719,1720-->1720)

thanks

Hi,

Yes even ports should be translated  automatically. You should be able to confirm that by running a packet-tracer.

packet-tracer input outside tcp 4.2.2.2 1234 1719 detail

Also, to NAT to the interface IP address, you do not need to create an object. Instead, you will just need to modify the NAT command as below:

nat  (inside,outside) source static test1 interface service ports ports

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: