I am in the process of replacing all of our checkpoint firewalls with Cisco ASA's. I am curently running into the following problem with configuring static NATs and PATs.
At some of our locations, the external IP's are mapped to internal IP's based on port ranges, and I can't find a way to replicate that on the ASA. Here's an example:
External NAT External Port Internal Host
22.214.171.124 UDP 9000 10.10.10.1
126.96.36.199 UDP 50000-65500 10.10.10.2
188.8.131.52 ANY 10.10.10.3
I could find any way of configuring a static NAT that using the port range (50000-65500), and i'm not about to write 15000 static NAT statements.
Does anyone know how you can use the port range in the static NAT?
This can be accomplished easily using the NAT syntax of ASA version 8.3 or greater:
First, define objects that represent the hosts on the inside, and the global address on the outside
object network obj-10.10.10.1
object network obj-10.10.10.2
object network obj-10.10.10.3
object network obj-184.108.40.206
Then define the objects that represent the services that you want to translate...the key here is that they can include a range of ports
object service obj-serviceUDP9000
service udp source eq 9000
object service obj-serviceUDP50000-65500
service udp source range 50000 65500
Finally, define the manual NAT commands that will translate those port ranges from the local to the global IPs. Note that even though the connections might be initiated INBOUND (meaning from hosts on the internet to the internal network), we'll define the translations from inside to outside...we could have made the translations from outside to inside (outside,inside) but defining the translations from the outbound perspective keeps things a bit simpler...
nat (inside,outside) source static obj-10.10.10.1 obj-220.127.116.11 service obj-serviceUDP9000 obj-serviceUDP9000
nat (inside,outside) source static obj-10.10.10.2 obj-18.104.22.168 service obj-serviceUDP50000-65500 obj-serviceUDP50000-65500
Using the 'show nat detail' command shows that these three nat statements I added to the configuration. Note that the NAT statements I created start at #4, since I have three other NAT statements in my configuration that I've omitted from this example...
ASA(config)# show nat detail
4 (inside) to (outside) source static obj-10.10.10.1 obj-22.214.171.124 service obj-serviceUDP9000 obj-serviceUDP9000