Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

static pat to a port range?

Posted on 2009-07-07
6
Medium Priority
?
1,592 Views
Last Modified: 2012-05-07
I am migrating some firewall settings from an old WatchGuard box to a Cisco ASA 5510.

On the old firewall are some static PAT statements that point to a range of ports (5000-5500 for instance).

Is it possible to do the same thing on the ASA without typing in 500 PAT statements?
0
Comment
Question by:AsenathWaite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794491
Hello,

PAT are dynamic NAT ports, so, no, you cannot use PAT this way, NAT however can

can you place the code from the Watchguard to better understand your question?

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24794785
The WatchGuard has a statment in it (it is a gui) that NAT/PATs an internal address to an external address at a range of ports (5000-5500).

I can't do a one-to-one static nat because I need the external (public) address for other things as well.
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24800032
Sure,

you can do that

ip nat pool POOL1 192.168.1.1 192.168.1.1 netmask 255.255.255.0 type rotary
ip nat pool POOL2 192.168.1.2 192.168.1.2 netmask 255.255.255.0 type rotary
ip nat inside destination list 101 pool POOL1
ip nat inside destination list 102 pool POOL2
access-list 101 permit tcp any any range 5000 5500
access-list 102 permit tcp any any range 5000 5500

the command you want is range in any case

found in

http://slaptijack.com/networking/cisco-nat-and-port-range-resolution/

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:AsenathWaite
ID: 24808293
Ugh,

Yes, that would work for a Cisco router--but it won't work for a PIX or ASA

those devices don't support the "ip nat pool" command
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 150 total points
ID: 24823818
Hi,

just pasted more info

your ACL entries will represent the PAT/NAT statements from your old watchgaurd

access-list 101 permit tcp any any range 5000 5500
access-list 102 permit tcp any any range 5000 5500

basically, apply the ACL rules to the interface, or service name, you which to use the port range with

Jfer
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24891131
Hi,

please award points or close question

Jfer
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question