Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASDM 8.3 Natting with range of port number

hi

i would like to do NATTING to allow traffic from my outside interface, with the range of TCP and UDP port, able to perform static NAT to the server reside at inside interface.

Access Rule and Object are create for it (SNIPET)

object-group service TCP-VIDEO-CONF tcp
description TCP port enable for UC
port-object range 2326 2373
port-object range 1719 h323

object-group service UDP-VIDEO-CONF udp
description UDP port enable for UC
port-object range 5555 5599

object network video-conf-server
host 10.10.100.20

access-list outside_remote_access_RDP extended permit tcp any object video-conf-server TCP-VIDEO-CONF

access-list outside_remote_access_RDP extended permit udp any object video-conf-server UDP-VIDEO-CONF


i found out it only able to let me mapped only one port per entries. Can't i just do the static NAT mapped in range?

or any posibble way to NAT in range, using PAT?

thank

NOEL

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASDM 8.3 Natting with range of port number

Hi,

Yes even ports should be translated  automatically. You should be able to confirm that by running a packet-tracer.

packet-tracer input outside tcp 4.2.2.2 1234 1719 detail

Also, to NAT to the interface IP address, you do not need to create an object. Instead, you will just need to modify the NAT command as below:

nat  (inside,outside) source static test1 interface service ports ports

3 REPLIES
Cisco Employee

Re: ASDM 8.3 Natting with range of port number

Hi,

You should be able to do NAT with a port range. For example, you can do the below:

object network test1

host a.b.c.d

object network test2

host w.x.y.z

object  service ports

service tcp source range A B

nat  (inside,outside) source static test1 test2 service ports ports

So this maps, a.b.c.d to w.x.y.z on the outside. Let me know if this helps!!

Thanks and Regards,

Prapanch

New Member

Re: ASDM 8.3 Natting with range of port number

Hi sir, thanks for the reply,

object network test1

host a.b.c.d <-- this can be my video-conf-server?

object network test2

host w.x.y.z  <-- i intend to use outside interface, meaning i going to create another new object for my outisde interface?

object  service ports

service tcp source range A B

nat  (inside,outside) source static test1 test2 service ports ports   <-- this is working

So this maps, a.b.c.d to w.x.y.z on the outside.

i highlight my concern in blue color font. i did this config on my dummy device, at least now i can do NAT in port-range..

meaning to say, if my port-range is TCP 1719-1720, so user from public internet, first reach the outside interface, traffic will xlate to the dedicated server IP, according to dedicated port as well ? (example 1719 --> 1719,1720-->1720)

thanks

Cisco Employee

Re: ASDM 8.3 Natting with range of port number

Hi,

Yes even ports should be translated  automatically. You should be able to confirm that by running a packet-tracer.

packet-tracer input outside tcp 4.2.2.2 1234 1719 detail

Also, to NAT to the interface IP address, you do not need to create an object. Instead, you will just need to modify the NAT command as below:

nat  (inside,outside) source static test1 interface service ports ports

1488
Views
5
Helpful
3
Replies