Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How do I map many ports to several different internal ips with one outside static ip address

I have one external ip address of  Then i have two different servers. One server is running https and smtp. I'm able to create my acls and static mappings to get that working. Now the second server i have about ALOT of ports (10000 - 65000) i need to forward to it. Making thousands of static entries can't be the answer because the cheapo netgear im replacing the Cisco ASA 5510 with was able to do it in one line.

here is how i mapped the first server

static (inside,outside) tcp interface 3389 3390 netmask

static (inside,outside) tcp interface https https netmask

I'm running 8.2.5 now but im open to anything at this point.

Super Bronze

How do I map many ports to several different internal ips with o


I guess the best situation would be to have a dedicated public IP address for this host for Static NAT instead of Static PAT. Though I imagine you have thought about this and its not possible either because some cost issues or because of the ISP.

To my understanding there has never been an option (until now in the new softwares) to forward a continuous range of ports. So in the current software it seems to me that the only option is a huge amout of Static PAT configurations or a Static NAT with an extra public IP.

You can only forward a continuous range of ports in the software levels 8.3 (and above).

With the jump from 8.2 to 8.3 the ASA got its NAT totally reworked. I imagine you have pretty simple configurations otherwise related to NAT so it wouldnt be such a big jump for you as for others that have large NAT configurations for their companys firewall.

The new NAT format still has its shortcomings and has the problem that you need several NAT configurations still to achieve some things.

I would for example want that we could use "object-group service" as the parameter of NAT configurations but this is not possible yet and I am not sure will it be.

In the new software a Static PAT (Port Forward) for a range of ports could be done with

object service PORT-RANGE

service tcp source range 10000 65000

object network HOST

host 192.168.1.x

nat (inside,outside) source static HOST interface service PORT-RANGE PORT-RANGE

access-list OUTSIDE-IN permit tcp host x.x.x.x object HOST range 10000 65000

Hope this helps

- Jouni

CreatePlease to create content