05-23-2012 09:30 PM - edited 03-11-2019 04:10 PM
hi,
i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999
05-23-2012 11:54 PM
05-24-2012 12:15 AM
Hi Dino,
what version are you using? It should be possible with 8.3 or higher codes.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-24-2012 12:44 AM
05-24-2012 01:01 AM
Hi Dino,
Plz explain your requirement first.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-24-2012 01:05 AM
05-24-2012 01:16 AM
Hi Dino,
You need to configure something like this:
object service udp_ports
service tcp destination range 50000 50009
nat (outside,inside) source static any any destination static public_ip private_ip service udp_ports udp_ports
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-24-2012 01:27 AM
05-24-2012 01:32 AM
Sure, let me know how it goes
Thanks,
Varun Rao
Security Team,
Cisco TAC
01-28-2016 08:58 AM
I am using ASA 8.2(5) 5505 and wants UDP ports forwarding range 36,000 to 59,999.
please advise which commands to config and apply.
thank you a lot.
01-28-2016 09:09 AM
Hi Rizwan,
We can not create static NAT for range of ports in 8.2 version, Need to write multiple Statements or perform a Static one-to-one NAT.. This can be done in versions above 8.3 where there is change in the configuration of the NAT.
Please refer "Static NAT for a Range of Ports" section
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
You can create a static NAT in 8.2 and permit only the set of ports using the access list to allow it.
For example
static (inside,outside) <public IP> <Private IP> netmask 255.255.255.255
Now create access list for thsi traffic.
access-list outside_in extended permit udp any host <public IP> range 36000 59999
access-group outside_in in interface outside
Or you can upgrade the device to version above 8.3.
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
01-28-2016 09:19 AM
Hi Shivapramod,
Thank you for the reply.
I will definitely upgrade to 8.3 or above to support range command because i can't add long list of commands in ASA.
Please advise commands for 8.3 or above to define UDP port ranges.
thank you so much.
01-28-2016 09:22 AM
Hi,
Please refer the document which was mentioned in the last comment.
Please refer "Static NAT for a Range of Ports" section
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Please remember to rate helpful posts
Thanks,
05-26-2012 10:08 PM
Hi,
I tried to enter the service group but it didn’t like destination.. is it a command that came later in IOS? I have version Cisco Adaptive Security Appliance Software Version 8.2(5) , Device Manager Version 6.4(5)
SA01(config)# object service Lync_RTP_UDP
ASA01(config-service)# service udp destination range 50000 50009
^
ERROR: % Invalid input detected at '^' marker.
ASA01(config-service)# object service Lync_RTP_TCP
ASA01(config-service)# service tcp destination range 50000 50009
^
ERROR: % Invalid input detected at '^' marker
Thanks
Regards,
Dino Chirico | IT Manager
T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600
W: Prosum.com.au | E: Dino.Chirico@prosum.com.au
A: 6 Ross Street , South Melbourne 3205
Disclaimer
This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
05-26-2012 10:30 PM
Hi,
I ended up doing this
object-group service Lync_RTP_UDP
service-object udp range 50000 59999
object-group service Lync_RTP_TCP
service-object tcp range 50000 59999
but I still can’t do the static nat
static (Lync_Ext,Internet_AAPT) udp x.x.x.x then I can’t refer to Lync_RTP_UDP
any other ideas?
thanks
Regards,
Dino Chirico | IT Manager
T: 03 9697 2222 | F: 03 9697 2200 | M: +61 (407) 454600
W: Prosum.com.au | E: Dino.Chirico@prosum.com.au
A: 6 Ross Street , South Melbourne 3205
Disclaimer
This message may contain confidential, proprietary or legally privileged information and is intended only for the individual named. No confidentiality or privilege is waived or lost by mistaken transmission. If you are not the named addressee you should not disseminate, distribute, copy or disclose its contents to anyone. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete all copies and destroy any hard copies from your system. PABX Sales and Service Pty Ltd Trading as Prosum of 6 Ross Street South Melbourne ABN 53 087 133 702 and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide