How do you create a static NAT for a range of ports on a ASA 5510 with IOS 8.2

dclarolh1 · ‎09-29-2010

How do you create a static NAT for a range of ports on a ASA 5510 with IOS 8.2?

I need to forward ports 10000-20000 for RTP for remote access to our VoIP system.

I found some articles but the commands are very outdated.

Collin Clark · ‎09-29-2010

You can't in that version. You would have to do a 1-1 NAT. I believe 8.3 can so you may want to upgrade.

Hope it helps.

dclarolh1 · ‎09-29-2010

Aww, the dreaded upgrade. That's going to break some things...

Collin Clark · ‎09-29-2010

I've had pretty good luck with 8.3, but all of my firewalls that are running 8.3 are not doing any NAT. Looking at the config guide, the

whole new NAT and ACL configuration looks a little weird to me.

dclarolh1 · ‎09-29-2010

There has to be a way. I don't understand how cisco could do that.

Nagaraja Thanthry · ‎09-29-2010

Hello,

Unfortunately, Pre-8.3 code does not have a way of mapping multiple outside ports to corresponding inside ports in a single statement. However, if you upgrade to 8.3, it can map multiple outside ports (a range) to corresponding ports on the inside.

object service test

service tcp source range 20 50

object network outside_ip

host 64.1.1.1

object network inside_ip

host 192.168.1.1

nat (inside,outside) source static inside_ip outside_ip service test test

If you want to do it on Pre-8.3 (8.2 and earlier), then either you need to use multiple statements or you need to map the entire IP (1-1 NAT).

Hope this helps.

Regards,

NT

dclarolh1 · ‎09-29-2010

How do you map the entire IP?

Nagaraja Thanthry · ‎09-29-2010

Hello,

If you have an unused public IP, then you can use the following template:

static (inside,outside) netmask 255.255.255.255

Then, you use access-list on the outside interface to allow specific ports (or port range).

access-list outside_access_in permit tcp any host range

access-group outside_access_in in interface outside

Hope this helps.

Regards,

NT