Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
0
Helpful
4
Replies

Port forwarding/allowing ports on ASA 5520

Sean McCoy
Level 1
Level 1

‎10-10-2013 02:24 PM - edited ‎03-11-2019 07:50 PM

I need to allow the following UDP port ranges for the Apple IMessaging app:

3478 through 3497 (UDP)
16384 through 16387 (UDP)
16393 through 16402 (UDP)

I think it would be inbound from the outside interface to any clients on the inside.

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-10-2013 02:28 PM

Hello Sean,

What version are U Running?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎10-10-2013 02:33 PM

Hi,

If you are running 8.3 (or above) software this should be easy. If you are running 8.2 (or below) this will mean a large amount of configurations since range of ports cant be forwarded in that software to my understanding.

For software level 8.3 (and above) the configuration would be

object service UDP-3478-3497

service udp source range 3478 3497

object service UDP-16384-16387

service udp source range 16384 16387

object service UDP-16393-16402

service udp source range 16393 16402

object network INTERNAL-HOST

host

nat (inside,outside) source static INTERNAL-HOST interface service UDP-3478-3497 UDP-3478-3497

nat (inside,outside) source static INTERNAL-HOST interface service UDP-16384-16387 UDP-16384-16387

nat (inside,outside) source static INTERNAL-HOST interface service UDP-16393-16402 UDP-16393-16402

For software level 8.2 (and below) the configuration would be

static (inside,outside) udp interface netmask 255.255.255.255

Hope this helps

- Jouni

0 Helpful

Sean McCoy
Level 1
Level 1

‎10-10-2013 02:37 PM

I'm running ASA v8.2(5) and ASDM v6.4(5). There is no specific internal host...would that be the inside int of the ASA?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Sean McCoy

‎10-10-2013 02:41 PM

Hi,

If you are doing Static PAT (Port Forwarding) then you are basically forwarding ports to a certain internal host.

If the actual hosts on the internal LAN are forming the connections outbound on these ports then you just have to allow the traffic in the interface ACL (unless already done so) and have a basic Dynamic PAT translation to a public IP address which you most likely have already

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card