Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 IOS: 9.0.3: Createing a group object and PAT range

 

Hi  I need to add multiple entries of the following on a 5510 running asa903-k8.bin and ASDM-716.bin file.:

object network Mitel5000-01
 host 10.2.254.111
object network Mitel5000-02
 host 10.2.254.111
object network Mitel5000-03
 host 10.2.254.111
object network Mitel5000-04
 host 10.2.254.111
object network Mitel5000-05
 host 10.2.254.111

 

 nat (Inside,Outside) static interface service udp 6031 6031
object network Mitel5000-01
 nat (Inside,Outside) static interface service udp 6032 6032
object network Mitel5000-02
 nat (Inside,Outside) static interface service udp 6033 6033
object network Mitel5000-03
 nat (Inside,Outside) static interface service udp 6034 6034
object network Mitel5000-04
 nat (Inside,Outside) static interface service udp 6035 6035
object network Mitel5000-05
 nat (Inside,Outside) static interface service udp 6036 6036
object network Mitel5000-06
 nat (Inside,Outside) static interface service udp 6037 6037

access-list inbound extended permit udp any4 object Mitel5000 eq 5004
access-list inbound extended permit udp any4 object Mitel5000 eq 5005
access-list inbound extended permit udp any4 object Mitel5000 eq 5006
access-list inbound extended permit udp any4 object Mitel5000 eq 5007
access-list inbound extended permit udp any4 object Mitel5000 eq 50098

 

Is there a way were I could just put a range in for all three of the configs? I am completely new and would love some help.

 

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

What do I need to put to get

What do I need to put to get the range of ports?

I am not 100% sure I understand what you mean by range of ports. But, if I understand correctly, you could create a service object that defines the range of ports and then call that object group in the NAT statement...for example

object service PORT-RANGE
  service tcp destination range 1024 4000

object network Mitel5000-HOST
  host 10.2.254.111

nat (Inside,Outside) source static Mitel5000-HOST interface service PORT-RANGE PORT-RANGE

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Green

basically if you applied that

basically if you applied that ACL to the Inside interface you would only be permiting gre and PPTP traffic, all other traffic will be dropped that is generated from the Inside network and entering the ASA. 

Unless you have a requirement to  deny the Inside users access to certain servers, PCs, etc., then I would leave the configuration as is.  your current configuration will allow all traffic from a higher security level to an equal or lower security.  So your inside users will not be restricted as things stand now.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
20 REPLIES
VIP Green

It is possible to group the

It is possible to group the NAT statements into two statement.

access-list inbound extended permit udp any4 object Mitel5000 range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000 eq 50098

object network Mitel5000-HOST
  host 10.2.254.111

object service Mitel-Ports1
  service udp destination range 5004 5007
object service Mitel-Ports2
  service udp destination eq 50098

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports2 Mitel-Ports2

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hi thanks for your help. Can

Hi thanks for your help. Can I ask does this look right?

object network Mitel5000-HOST
  host 10.2.254.111

object service Mitel-Ports1
  service udp destination range 5004 5007
object service Mitel-Ports2
  service udp destination range 6004 6261
object service Mitel-Ports3
  service udp destination range 6604 7039
object service Mitel-Ports4
  service udp destination range 50098 50508

access-list inbound extended permit udp any4 object Mitel5000 range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000 range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000 range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000 range 50098 50508

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports4 Mitel-Ports4


And can this be shortened?

access-list inbound extended permit tcp any interface Outside eq 6800
access-list inbound extended permit tcp any interface Outside eq 6801
access-list inbound extended permit tcp any interface Outside eq 6802
access-list inbound extended permit tcp any interface Outside eq 3998
access-list inbound extended permit tcp any interface Outside eq 3999

To this?

access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

object service Mitel-Ports5
  service udp destination range 6800 6801
object service Mitel-Ports6
  service udp destination range 3998 3999

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports6 Mitel-Ports6

Thank you SOOOO very much for your help so far. I think I got it but would love your further input.

New Member

This is my final config,

This is my final config, would you please tell me if I have it right:

enable password XXXXXX
password XXXXXX
User Enable password XXXXXX

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000

int e0/0                           
nameif Outside
security-level 0                     
ip address X.X.X.X 255.255.255.240
no shutdown                             
description WAN Interface               
exit

int e0/1                           
nameif Inside
security-level 100                      
ip address 10.2.254.9 255.255.255.0
no shutdown                        
description LAN Interface          
exit                               

int e0/2                           
nameif VoIP-Link
security-level 100                      
ip address 10.2.111.1 255.255.255.0
no shutdown                       
description VOIP Interface          
exit

int e0/3                                                    
no shutdown                             
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 5
http server enable
http 10.2.254.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 Management

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ECHS-XCH
 host 10.2.254.12
object network ECHS-XCH-01
 host 10.2.254.12
object network ECHS-PDC
 host 10.2.254.11
object network Mitel5000-HOST
  host 10.2.254.111
object network obj_any
 subnet 0.0.0.0 0.0.0.0

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https
access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit udp any4 object Mitel5000 range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000 range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000 range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000 range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

object network ECHS-XCH
 nat (Inside,Outside) static interface service tcp https https
object network ECHS-XCH-01
 nat (Inside,Outside) static interface service tcp www www
object network ECHS-PDC
 nat (Inside,Outside) static interface service tcp pptp pptp
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports6 Mitel-Ports6

object service Mitel-Ports1
  service udp destination range 5004 5007
object service Mitel-Ports2
  service udp destination range 6004 6261
object service Mitel-Ports3
  service udp destination range 6604 7039
object service Mitel-Ports4
  service udp destination range 50098 50508
object service Mitel-Ports5
  service udp destination range 6800 6801
object service Mitel-Ports6
  service udp destination range 3998 3999
object network obj_any
  nat (Inside,Outside) dynamic interface

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X..49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name XXXXXXXXXXXXXXXXXXX
crypto key generate rsa

 

VIP Green

Yes both those examples you

Yes both those examples you posted there look good but remember to reference the Mitel5000-HOST object group in the NAT statements.

As for your configuration, you are using an IP to name map that is referenced in the NAT statements.  You must reference an object group in the NAT statements so change Mitel5000 to Mitel5000-HOST.

Also, you do not have a dynamic PAT to allow internet access...even though you have an object group matching all traffic. I suggest adding a NAT statement for this object group if the users require access to the internet.

object network obj_any
 subnet 0.0.0.0 0.0.0.0

 nat (inside,outside) dynamic interface

Other than that it looks good.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hi Thanks for the replie. I

Hi Thanks for the replie. I really apperciate your help.  A couple a quick questions.  I am not sure what you mean by "reference the Mitel5000-HOST object group in the NAT statements."

Am I correct in saying I need to change this bit:

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000

to this:

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000-HOST

Also users need internet access and I thought I had done by this statement:

object network obj_any
  nat (Inside,Outside) dynamic interface

(Its just before the routing tables in the above example). Do I need to enter it has

object network obj_any
  subnet 0.0.0.0 0.0.0.0
  nat (Inside,Outside) dynamic interface

Or do I need to enter it has:

object network obj_any
  nat (Inside,Outside) dynamic interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

Sorry for being a pain and asking tom many questions. You have been a great support. I realy want to put this issue to bed and value your input.

 

 

 

 

New Member

HiWhen you say "reference the

Hi

When you say "reference the Mitel5000-HOST object group in the NAT statements."

Do you mean I need to change this:

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000 interface service Mitel-Ports6 Mitel-Ports6

To this:

nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports6 Mitel-Ports6

New Member

Is this ok now?enable

Is this ok now?

enable password xxxx
password xxxx
User Enable password xxxx

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
name 10.2.254.111 Mitel5000-HOST

int e0/0                           
nameif Outside
security-level 0                     
ip address x.x.x.53 255.255.255.240
no shutdown                             
description WAN Interface               
exit

int e0/1                           
nameif Inside
security-level 100                      
ip address 10.2.254.9 255.255.255.0
no shutdown                        
description LAN Interface          
exit                               

int e0/2                           
nameif VoIP-Link
security-level 100                      
ip address 10.2.111.1 255.255.255.0
no shutdown                       
description VOIP Interface          
exit

int e0/3                                                    
no shutdown                             
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 5
http server enable
http 10.2.254.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 Management

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ECHS-XCH
 host 10.2.254.12
object network ECHS-XCH-01
 host 10.2.254.12
object network ECHS-PDC
 host 10.2.254.11
object network Mitel5000-HOST
  host 10.2.254.111
object network obj_any
 subnet 0.0.0.0 0.0.0.0

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https
access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit udp any4 object Mitel5000-HOST range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000-HOST range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

object network ECHS-XCH
 nat (Inside,Outside) static interface service tcp https https
object network ECHS-XCH-01
 nat (Inside,Outside) static interface service tcp www www
object network ECHS-PDC
 nat (Inside,Outside) static interface service tcp pptp pptp
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports6 Mitel-Ports6

object service Mitel-Ports1
  service udp destination range 5004 5007
object service Mitel-Ports2
  service udp destination range 6004 6261
object service Mitel-Ports3
  service udp destination range 6604 7039
object service Mitel-Ports4
  service udp destination range 50098 50508
object service Mitel-Ports5
  service udp destination range 6800 6801
object service Mitel-Ports6
  service udp destination range 3998 3999
object network obj_any
  nat (Inside,Outside) dynamic interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name x-x-x
crypto key generate rsa

VIP Green

Yes, looks good now.--Please

Yes, looks good now.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Green

Sorry I had overlooked the

Sorry I had overlooked the obj_any NAT statement.

name 10.2.254.111 Mitel5000-HOST

The above is not a network object, this is an alias (a mapping of IP to a name)

object network Mitel5000-HOST
  host 10.2.254.111

The above is a network object

You are referencing the alias in your NAT statements and not the object group

nat (inside,outside) source static Mitel5000 interface service Mitel-Ports1 Mitel-Ports1

This will not work since Mitel5000 is not a network object...you will get an error when entering this... or at least I got an error last time I tried to do this.

Sorry for being a pain and asking tom many questions.

No worries smiley

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hi - Many thanks again. I get

Hi - Many thanks again. I get errors on the following commands:

 

nat (Inside,Outside) static interface service tcp pptp pptp

Being:

ciscoasa(config)# nat (Inside,Outside) static interface service tcp pptp pptp
                                        ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#

Any ideas?

 

VIP Green

Have you defined the Inside

Have you defined the Inside interface already?

It seems to indicate that the interface name does not exist.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

By the way my fonal config,

By the way my fonal config, which I tested in the lab and get no errors, look like this...

enable password XXXX
password XXXX
User Enable password XXXX

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
object network Mitel5000-HOST
  host 10.2.254.111

int e0/0                           
nameif Outside
security-level 0                     
ip address X.X.X.53 255.255.255.240
no shutdown                             
description WAN Interface               
exit

int e0/1                           
nameif Inside
security-level 100                      
ip address 10.2.254.9 255.255.255.0
no shutdown                        
description LAN Interface          
exit                               

int e0/2                           
nameif VoIP-Link
security-level 100                      
ip address 10.2.111.1 255.255.255.0
no shutdown                       
description VOIP Interface          
exit

int e0/3                                                    
no shutdown                             
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 5
http server enable
http 10.2.254.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 Management

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

object network ECHS-XCH
 host 10.2.254.12
object network ECHS-XCH-01
 host 10.2.254.12
object network ECHS-PDC
 host 10.2.254.11
object network Mitel5000-HOST
  host 10.2.254.111
object network obj_any
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface
object network ECHS-XCH
 nat (Inside,Outside) static interface service tcp https https
object network ECHS-XCH-01
 nat (Inside,Outside) static interface service tcp www www
object network ECHS-PDC

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

access-list inbound extended permit udp any4 object Mitel5000-HOST range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000-HOST range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object service Mitel-Ports1
  service udp destination range 5004 5007
object service Mitel-Ports2
  service udp destination range 6004 6261
object service Mitel-Ports3
  service udp destination range 6604 7039
object service Mitel-Ports4
  service udp destination range 50098 50508
object service Mitel-Ports5
  service udp destination range 6800 6801
object service Mitel-Ports6
  service udp destination range 3998 3999

nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports6 Mitel-Ports6

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name X-X-X
crypto key generate rsa

The only command I am missing is...

nat (Inside,Outside) static interface service tcp pptp pptp

Not sure what this command is for but when I run it I get error message of:

ciscoasa(config)#
ciscoasa(config)# nat (Inside,Outside) static interface service tcp pptp pptp
                                        ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#

Please could show us what I am doing wrong? Again many thanks for your help.

 

 

 

VIP Green

ah ok here is the problem

ah ok here is the problem:

ciscoasa(config)# nat (Inside,Outside) static interface service tcp pptp pptp

you need to add this type of command under a network object.  for example

object network TEST
  subnet 1.1.1.0 255.255.255.0
  nat (Inside,Outside) static interface service tcp pptp pptp

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hi, thanks for that. Can I

Hi, thanks for that. Can I ask if I do the following:

object network Mitel5000-HOST
 host 10.2.254.111
 nat (Inside,Outside) static interface service udp X X

What do I need to put to get the range of ports? I am comparing with..

object network ECHS-PDC
 host 10.2.254.11
object network ECHS-PDC
 nat (Inside,Outside) static interface service tcp pptp pptp

Many thanks again for your continuous support. Your unreal!!

 

VIP Green

What do I need to put to get

What do I need to put to get the range of ports?

I am not 100% sure I understand what you mean by range of ports. But, if I understand correctly, you could create a service object that defines the range of ports and then call that object group in the NAT statement...for example

object service PORT-RANGE
  service tcp destination range 1024 4000

object network Mitel5000-HOST
  host 10.2.254.111

nat (Inside,Outside) source static Mitel5000-HOST interface service PORT-RANGE PORT-RANGE

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hello again...Many thanks, I

Hello again...Many thanks, I think I have done the above. This is my final config, can I ask you to please cast a eye on it and see it all looks good? Many Thanks for your help today.

enable password XXXX
password XXXX
User Enable password XXXX

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

name 10.2.254.11 ECHS-PDC
name 10.2.254.12 ECHS-XCH
object network Mitel5000-HOST
  host 10.2.254.111

int e0/0                           
nameif Outside
security-level 0                     
ip address X.X.X.53 255.255.255.240
no shutdown                             
description WAN Interface               
exit

int e0/1                           
nameif Inside
security-level 100                      
ip address 10.2.254.9 255.255.255.0
no shutdown                        
description LAN Interface          
exit                               

int e0/2                           
nameif VoIP-Link
security-level 100                      
ip address 10.2.111.1 255.255.255.0
no shutdown                       
description VOIP Interface          
exit

int e0/3                                                    
no shutdown                             
exit

int Management0/0
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside
telnet timeout 5
http server enable
http 10.2.254.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 192.168.1.0 255.255.255.0 Management

dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management

ssh 10.2.254.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 30
console timeout 0
aaa authentication ssh console LOCAL

object network ECHS-XCH
 host 10.2.254.12
object network ECHS-XCH
 nat (Inside,Outside) static interface service tcp https https

object network ECHS-XCH-01
 host 10.2.254.12
object network ECHS-XCH-01
 nat (Inside,Outside) static interface service tcp www www

object network ECHS-PDC
 host 10.2.254.11
object network ECHS-PDC
 nat (Inside,Outside) static interface service tcp pptp pptp

object network Mitel5000-HOST
 host 10.2.254.111
 
object network obj_any
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

access-list inbound extended permit udp any4 object Mitel5000-HOST range 5004 5007
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6004 6261
access-list inbound extended permit udp any4 object Mitel5000-HOST range 6604 7039
access-list inbound extended permit udp any4 object Mitel5000-HOST range 50098 50508
access-list inbound extended permit tcp any interface Outside range 6800 6801
access-list inbound extended permit tcp any interface Outside range 3998 3999

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp
access-list inbound extended permit tcp any4 object ECHS-PDC eq pptp
access-list inbound extended permit tcp any4 object ECHS-XCH eq www
access-list inbound extended permit tcp any4 object ECHS-XCH eq https

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object service Mitel-Ports1
  service udp destination range 5004 5007
object service Mitel-Ports2
  service udp destination range 6004 6261
object service Mitel-Ports3
  service udp destination range 6604 7039
object service Mitel-Ports4
  service udp destination range 50098 50508
object service Mitel-Ports5
  service udp destination range 6800 6801
object service Mitel-Ports6
  service udp destination range 3998 3999

nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports1 Mitel-Ports1
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports2 Mitel-Ports2
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports3 Mitel-Ports3
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports4 Mitel-Ports4
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports5 Mitel-Ports5
nat (inside,outside) source static Mitel5000-HOST interface service Mitel-Ports6 Mitel-Ports6

access-group inbound in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.49 1
route Inside 10.2.246.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.247.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.248.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.249.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.250.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.251.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.252.0 255.255.255.0 10.2.254.19 1
route Inside 10.2.253.0 255.255.255.0 10.2.254.19 1

logging asdm 6
domain-name X-X-X
crypto key generate rsa

You have been amazing with you support. Many thanks.

VIP Green

Yes, this looks good. but a

Yes, this looks good. but a couple thoughts.

I see an ACL that is not in use...do you need this there?

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

You are allowing telnet connections, which isn't a secure protocol, if you don't need to use this I suggest removing it.

telnet 10.2.254.0 255.255.255.0 Inside
telnet 10.0.0.0 255.0.0.0 Inside

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

HiWhat do these commands..

Hi

What do these commands...

access-list outbound extended permit gre any4 any4
access-list outbound extended permit tcp any4 any4 eq pptp

actually mean?

I want to  go and test my config in live situ. Last time I did this the phone went down...truly existed to see how it all goes today.

Many many thanks

VIP Green

basically if you applied that

basically if you applied that ACL to the Inside interface you would only be permiting gre and PPTP traffic, all other traffic will be dropped that is generated from the Inside network and entering the ASA. 

Unless you have a requirement to  deny the Inside users access to certain servers, PCs, etc., then I would leave the configuration as is.  your current configuration will allow all traffic from a higher security level to an equal or lower security.  So your inside users will not be restricted as things stand now.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

MariusGunnerud - Many thanks

MariusGunnerud - Many thanks to you.

197
Views
0
Helpful
20
Replies