Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to configure a NAT port range on ASA 5510

                  hi,

i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999

Everyone's tags (3)
19 REPLIES
New Member

Re: how to configure a NAT port range on ASA 5510

Hmm is there any other way of doing this?

Red

how to configure a NAT port range on ASA 5510

Hi Dino,

what version are you using? It should be possible with 8.3 or higher codes.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: how to configure a NAT port range on ASA 5510

Hi

I'm using 8.4. How do I do it?

Red

how to configure a NAT port range on ASA 5510

Hi Dino,

Plz explain your requirement first.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: how to configure a NAT port range on ASA 5510

Ok I have rtp udp ports 50000 - 59999 to be nat from public to my private Lync server.

Red

how to configure a NAT port range on ASA 5510

Hi Dino,

You need to configure something like this:

object service udp_ports

  service tcp destination range 50000 50009

nat (outside,inside) source static any any destination static public_ip private_ip service udp_ports udp_ports

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: how to configure a NAT port range on ASA 5510

Hi varun

Ok I did do the first part but couldn't do the second through asdm. I will try through cli.

Will try it tonight.

Thanks

Red

how to configure a NAT port range on ASA 5510

Sure, let me know how it goes

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

I am using ASA 8.2(5) 5505

I am using ASA 8.2(5) 5505 and wants UDP ports forwarding range 36,000 to 59,999.

please advise which commands to config and apply.

thank you a lot. 

Hi Rizwan,

Hi Rizwan,

We can not create static NAT for range of ports in 8.2 version, Need to write multiple Statements or perform a Static one-to-one NAT.. This can be done in versions above 8.3 where there is change in the configuration of the NAT. 

Please refer "Static NAT for a Range of Ports" section

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

You can create a static NAT in 8.2 and permit only the set of ports using the access list to allow it. 

For example

static (inside,outside) <public IP> <Private IP> netmask 255.255.255.255

Now create access list for thsi traffic.

access-list outside_in extended permit udp any host <public IP> range 36000 59999

access-group outside_in in interface outside

Or you can upgrade the device to version above 8.3.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

New Member

Hi Shivapramod,

Hi Shivapramod,

Thank you for the reply.

I will definitely upgrade to 8.3 or above to support range command because i can't add long list of commands in ASA.

Please advise commands for 8.3 or above to define UDP port ranges.

thank you so much.

Hi,

Hi,

Please refer the document which was mentioned in the last comment.

Please refer "Static NAT for a Range of Ports" section

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Please remember to rate helpful posts

Thanks,

New Member

Re: how to configure a NAT port range on ASA 5510

Hi,

I tried to enter the service group but it didn’t like destination.. is it a command that came later in IOS? I have version Cisco Adaptive Security Appliance Software Version 8.2(5) , Device Manager Version 6.4(5)

SA01(config)# object service Lync_RTP_UDP

ASA01(config-service)# service udp destination range 50000 50009

^

ERROR: % Invalid input detected at '^' marker.

ASA01(config-service)# object service Lync_RTP_TCP

ASA01(config-service)# service tcp destination range 50000 50009

^

ERROR: % Invalid input detected at '^' marker

Thanks

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

New Member

Re: how to configure a NAT port range on ASA 5510

Hi,

I ended up doing this

object-group service Lync_RTP_UDP

service-object udp range 50000 59999

object-group service Lync_RTP_TCP

service-object tcp range 50000 59999

but I still can’t do the static nat

static (Lync_Ext,Internet_AAPT) udp x.x.x.x then I can’t refer to Lync_RTP_UDP

any other ideas?

thanks

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

Red

how to configure a NAT port range on ASA 5510

Hi Dino,

Earlier you had provided that you are using the ASA software 8.4, so i suggested you the configuration for 8.4 version.

DINO CHIRICO wrote:

Hi,

I'm using 8.4. How do I do it?


But now it seems like you are using 8.2 version. Unfortunately port forwarding for a complete range woudl not work in 8.2 version.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: how to configure a NAT port range on ASA 5510

Hi,

Ok I will do an upgrade.. are there any gotchas or can I upload to the latest version?

thanks

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

Red

how to configure a NAT port range on ASA 5510

Hi Dino,

Yes, there definitely are a few, since its a major upgrade to version 8.3 or higher. You can read through  this doc first, before upgrading, this is all need to know before the upgrade procedure:

https://supportforums.cisco.com/docs/DOC-12690

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: how to configure a NAT port range on ASA 5510

This document will be ok if I’m coming from 8.2?

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

New Member

Re: how to configure a NAT port range on ASA 5510

thanks

Regards,

Dino Chirico | IT Manager

T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600

W: Prosum.com.au | E: Dino.Chirico@prosum.com.au

A: 6 Ross Street , South Melbourne 3205

Disclaimer

This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.

4948
Views
4
Helpful
19
Replies
CreatePlease login to create content