• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1620
  • Last Modified:

static pat to a port range?

I am migrating some firewall settings from an old WatchGuard box to a Cisco ASA 5510.

On the old firewall are some static PAT statements that point to a range of ports (5000-5500 for instance).

Is it possible to do the same thing on the ASA without typing in 500 PAT statements?
0
AsenathWaite
Asked:
AsenathWaite
  • 4
  • 2
1 Solution
 
jfer0x01Commented:
Hello,

PAT are dynamic NAT ports, so, no, you cannot use PAT this way, NAT however can

can you place the code from the Watchguard to better understand your question?

Jfer
0
 
AsenathWaiteAuthor Commented:
The WatchGuard has a statment in it (it is a gui) that NAT/PATs an internal address to an external address at a range of ports (5000-5500).

I can't do a one-to-one static nat because I need the external (public) address for other things as well.
0
 
jfer0x01Commented:
Sure,

you can do that

ip nat pool POOL1 192.168.1.1 192.168.1.1 netmask 255.255.255.0 type rotary
ip nat pool POOL2 192.168.1.2 192.168.1.2 netmask 255.255.255.0 type rotary
ip nat inside destination list 101 pool POOL1
ip nat inside destination list 102 pool POOL2
access-list 101 permit tcp any any range 5000 5500
access-list 102 permit tcp any any range 5000 5500

the command you want is range in any case

found in

http://slaptijack.com/networking/cisco-nat-and-port-range-resolution/

0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
AsenathWaiteAuthor Commented:
Ugh,

Yes, that would work for a Cisco router--but it won't work for a PIX or ASA

those devices don't support the "ip nat pool" command
0
 
jfer0x01Commented:
Hi,

just pasted more info

your ACL entries will represent the PAT/NAT statements from your old watchgaurd

access-list 101 permit tcp any any range 5000 5500
access-list 102 permit tcp any any range 5000 5500

basically, apply the ACL rules to the interface, or service name, you which to use the port range with

Jfer
0
 
jfer0x01Commented:
Hi,

please award points or close question

Jfer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now