?
Solved

static pat to a port range?

Posted on 2009-07-07
6
Medium Priority
?
1,587 Views
Last Modified: 2012-05-07
I am migrating some firewall settings from an old WatchGuard box to a Cisco ASA 5510.

On the old firewall are some static PAT statements that point to a range of ports (5000-5500 for instance).

Is it possible to do the same thing on the ASA without typing in 500 PAT statements?
0
Comment
Question by:AsenathWaite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24794491
Hello,

PAT are dynamic NAT ports, so, no, you cannot use PAT this way, NAT however can

can you place the code from the Watchguard to better understand your question?

Jfer
0
 

Author Comment

by:AsenathWaite
ID: 24794785
The WatchGuard has a statment in it (it is a gui) that NAT/PATs an internal address to an external address at a range of ports (5000-5500).

I can't do a one-to-one static nat because I need the external (public) address for other things as well.
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24800032
Sure,

you can do that

ip nat pool POOL1 192.168.1.1 192.168.1.1 netmask 255.255.255.0 type rotary
ip nat pool POOL2 192.168.1.2 192.168.1.2 netmask 255.255.255.0 type rotary
ip nat inside destination list 101 pool POOL1
ip nat inside destination list 102 pool POOL2
access-list 101 permit tcp any any range 5000 5500
access-list 102 permit tcp any any range 5000 5500

the command you want is range in any case

found in

http://slaptijack.com/networking/cisco-nat-and-port-range-resolution/

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AsenathWaite
ID: 24808293
Ugh,

Yes, that would work for a Cisco router--but it won't work for a PIX or ASA

those devices don't support the "ip nat pool" command
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 150 total points
ID: 24823818
Hi,

just pasted more info

your ACL entries will represent the PAT/NAT statements from your old watchgaurd

access-list 101 permit tcp any any range 5000 5500
access-list 102 permit tcp any any range 5000 5500

basically, apply the ACL rules to the interface, or service name, you which to use the port range with

Jfer
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24891131
Hi,

please award points or close question

Jfer
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question