Redirect port range on Cisco ASA 5510

TSG_Users used Ask the Experts™

I'm trying to save myself a bit of RSI here, is there an easy way to set up these port redirects?:

Port                                                              (WAN IP)                LAN IP  
TCP 50000, UDP 50002, UDP 50003           (138.x.x.137)
UDP In 6004-6999,                                      (138.x.x.137)

As you can see I have to re-direct multiple ports from one translated address to two different original addresses. Is there a short-cut that can be used (can't use object-groups for NAT) or am I going to have to bite the bullet and set them up individually?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Consultant
there is no mechanism to forward a "Range" of ports other than a static for every port - sorry :(
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Bite the bullet...

I have read that the 8.3 software has made changes to the NAT rules, and will allow this behavior may be worth checking out if your device meets the ram requirements, other wise the other comments are 100% correct.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Thanks, def need to check 8.3, seen it on a couple of deployments but have always downgraded to minimise complications with the install/support as the NAT rules where a little convoluted, otherwise will be cranking up Excel to see if I can save a bit of time there.
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

8.3 is different when it comes to NAT-configuration, thats true. But there is still no way to do PAT for a range of ports, sorry.


examples of the commands

nat  (inside,outside) source static test1 test2 service ports ports
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Cheever000: I stand corrected! Didnt know that! Thanks for enlighten me...

I've never tried it either so I may be way off base can't wait to give it a whirl some day.  I'm still trying to get my head around the new version and NAT


Thanks Cheever000, those docs are pretty helpful, unfortunately the clients ASA doesn't have enough RAM to support the upgrade and they need the config working tomorrow.

Out of interest I have managed to cobble together a test config, only problem is is that packet tracer fails it on the ACL:

object service VOIP_UDP_ASDM
        service udp source range 6004 6999 destination range 6004 6999
        description Bulk_UDP_Fwds

object network VOIP_SERVER_196

nat (inside,outside) source static VOIP_SERVER_196 interface service VOIP_UDP_ASDM VOIP_UDP_ASDM

access-list outside_access_in line 6 extended permit object VOIP_UDP_ASDM any x.x.x.152

I notice that there is now a "global" interface that you can configure ACL's on too so have added the ACL to that but to no avail... any thoughts on why that should be failing.... I can't quite see what is wrong with that!

On a side note with this release the NAT configuration in the GUI looks utterly terrifying but so much more straight forward on the CLI!
elmoasa#  packet-tracer input outside udp 1234 x.x.x.154 6$

Phase: 1
Subtype: input
Result: ALLOW
Additional Information:
in identity

Phase: 2
Result: DROP
Implicit Rule
Additional Information:

input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window


Ahh.. just read the answer to my own question, need to use the original address in the ACL rather than the global address! :-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial