I'm familiar with the classic use case of NAT/PAT, where internal hosts use many-to-one or one-to-one nat when going outbound. What I'm not as familiar with is what can I use if I have a 10,000 port range that external hosts request inbound to a host and I want my firewall to forward to that 10,000 port range to a single port.
inbound port range: 10,000-20,000
destination ip: 10.10.10.15 "internal host, public IP accesible IP"
translated port: 440
translaed ip: 10.10.10.15 "same as original"
source ip: any "internet"
Basically, port forwarding for a range of ports to a single port.
Where I think I'm getting caught at is the basics of tcp/ip where a client chooses a random port for its source port and sets the destination as the destination port, in my case 10,100. This hits my firewall with the destination port 10,100 and a source port randomly chosen by client, lets say 4570. The firewall would then say, I want to translate this 10,100 to the destination port of 440 and point it at my internal host 10.10.10.15. When the packet arrives at 10.10.10.15 it arrives with a source port of the now translated port 440. The firewall would not know how to get back to the original client that requested with source port 4570, thus my original request is not possible? This is where I'm at in my mind on why this doesn't work, but then again, I'm thinking that a PAT table could keep track of these connection mappings and broker the connection.
I would imagine that you would need to have a firewall running a software level 8.3 or newer.
What you could try is the following
object network REAL-HOST
object network MAPPED-HOST
object service REAL-PORT
service tcp source eq 440
object service MAPPED-PORT-RAGE
service tcp source range 10000 20000
nat (inside,outside) source static REAL-HOST MAPPED-HOST service REAL-PORT MAPPED-PORT-RANGE
Where the 188.8.131.52 is the public NAT IP address.
This configuration would essentially mean that any connectiong coming to the destination IP address 184.108.40.206 on the destination port TCP/10000 - 20000 would be forwarded to the actual host 10.10.10.15 on destination port TCP/440
I have personally never had the need to even think about a configuration like this so I am not sure what you are going to use this for. That being said, I have not tested this other than with "packet-tracer" command to test that it performs as its suppsed to.
I'll test in lab this evening. I'm testing this as an option to funnel sip traffic to a single service port, thinking it could increase security, but in the end if I have to open a 10,000 port range for the translation to function, I've ultimately done nothing to increase security.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...