Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can you port forward a port range on asa5505 version 8.3

Hi all

Is it possible to port forward a range of ports on the asa, I can't do it via the GUI, is it possible via the cli ?

Cheers

Carl

6 REPLIES
Super Bronze

Can you port forward a port range on asa5505 version 8.3

Hi,

If you want to forward a range of ports to a host without changing the actual port you should be able to do it the following way

object network PORT-RANGE

service tcp source range 1000 2000

object network HOST

host 10.10.10.10

nat (inside,outside) source static HOST interface service PORT-RANGE PORT-RANGE

The above should map the internal host 10.10.10.10 to the interface IP address of "outside" for ports 1000-2000.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

New Member

Can you port forward a port range on asa5505 version 8.3

I tried that and it didn't like the nat command, it would only allow me to do, static (inside,outside)

When I tried the nat command it didn't seem to work, are you sure about this?

Super Bronze

Can you port forward a port range on asa5505 version 8.3

Ah,

I had a typo in the above configuration

The "object" is of wrong type. In the above its "network" even though it should be "service" to be able to hold the protocol/port. If the "object network PORT-RANGE" is still configured on the ASA, it will have to be removed if you want to create an "object service PORT-RANGE" on the ASA.

no object network PORT-RANGE

object service PORT-RANGE

service tcp source range 1000 2000

object network HOST

host 10.10.10.10

nat (inside,outside) source static HOST interface service PORT-RANGE PORT-RANGE

With the above it should accept the "nat" command

- Jouni

Super Bronze

Can you port forward a port range on asa5505 version 8.3

Hi,

Were you able to test this with the above mention correct configuration? I had mistakenly put "object network" in the original reply instead of "object service"

- Jouni

New Member

Can you port forward a port range on asa5505 version 8.3

Hi

I have tried this, its doesnt work, when I do >nat (inside,outside) it comes up with an error, it lets me do nat (inside) then expects a number,

I believe the way to do this is static (inside,outside) tcp etc etc

see below

EURUS-MOS-FW1(config)# nat (inside,outside) ?

ERROR: % Unrecognized command

EURUS-MOS-FW1(config)# nat (inside,outside)

EURUS-MOS-FW1(config)# static (inside,outside) ?

configure mode commands/options:
  Hostname or A.B.C.D  Global or mapped address
  interface            Global address overload from interface
  tcp                  TCP to be used as transport protocol
  udp                  UDP to be used as transport protocol
EURUS-MOS-FW1(config)# static (inside,outside) tcp ?

Super Bronze

Can you port forward a port range on asa5505 version 8.3

Hi,

It would seem to me that your original post asked for a Static PAT for a range of ports for ASA software level 8.3.

Your above output would indicate that your firewall is NOT running 8.3 or above software therefore my suggested NAT configuration format is not supported on your ASA.

In software levels 8.2 and below there is no way to forward a range of ports with few commands. You will need a "static" command for each port which depending on the amount of ports needed might generate quite a bit of configurations.

Example is

static (inside,outside) tcp interface 1000 1000 netmask 255.255.255.255

static (inside,outside) udp interface 1000 1000 netmask 255.255.255.255

You can check your software level with command "show version"

- Jouni

522
Views
0
Helpful
6
Replies
CreatePlease login to create content