TSG_Users
asked on
Redirect port range on Cisco ASA 5510
Hi,
I'm trying to save myself a bit of RSI here, is there an easy way to set up these port redirects?:
Port (WAN IP) LAN IP
TCP 50000, UDP 50002, UDP 50003 (138.x.x.137) 10.220.15.195
UDP In 6004-6999, (138.x.x.137) 10.220.15.196
As you can see I have to re-direct multiple ports from one translated address to two different original addresses. Is there a short-cut that can be used (can't use object-groups for NAT) or am I going to have to bite the bullet and set them up individually?
Cheers
I'm trying to save myself a bit of RSI here, is there an easy way to set up these port redirects?:
Port (WAN IP) LAN IP
TCP 50000, UDP 50002, UDP 50003 (138.x.x.137) 10.220.15.195
UDP In 6004-6999, (138.x.x.137) 10.220.15.196
As you can see I have to re-direct multiple ports from one translated address to two different original addresses. Is there a short-cut that can be used (can't use object-groups for NAT) or am I going to have to bite the bullet and set them up individually?
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have read that the 8.3 software has made changes to the NAT rules, and will allow this behavior may be worth checking out if your device meets the ram requirements, other wise the other comments are 100% correct.
ASKER
Thanks, def need to check 8.3, seen it on a couple of deployments but have always downgraded to minimise complications with the install/support as the NAT rules where a little convoluted, otherwise will be cranking up Excel to see if I can save a bit of time there.
8.3 is different when it comes to NAT-configuration, thats true. But there is still no way to do PAT for a range of ports, sorry.
/Kvistofta
/Kvistofta
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cheever000: I stand corrected! Didnt know that! Thanks for enlighten me...
/Kvistofta
/Kvistofta
I've never tried it either so I may be way off base can't wait to give it a whirl some day. I'm still trying to get my head around the new version and NAT
ASKER
Thanks Cheever000, those docs are pretty helpful, unfortunately the clients ASA doesn't have enough RAM to support the upgrade and they need the config working tomorrow.
Out of interest I have managed to cobble together a test config, only problem is is that packet tracer fails it on the ACL:
object service VOIP_UDP_ASDM
service udp source range 6004 6999 destination range 6004 6999
description Bulk_UDP_Fwds
object network VOIP_SERVER_196
host 192.168.77.196
nat (inside,outside) source static VOIP_SERVER_196 interface service VOIP_UDP_ASDM VOIP_UDP_ASDM
access-list outside_access_in line 6 extended permit object VOIP_UDP_ASDM any x.x.x.152 255.255.255.248
I notice that there is now a "global" interface that you can configure ACL's on too so have added the ACL to that but to no avail... any thoughts on why that should be failing.... I can't quite see what is wrong with that!
On a side note with this release the NAT configuration in the GUI looks utterly terrifying but so much more straight forward on the CLI!
Out of interest I have managed to cobble together a test config, only problem is is that packet tracer fails it on the ACL:
object service VOIP_UDP_ASDM
service udp source range 6004 6999 destination range 6004 6999
description Bulk_UDP_Fwds
object network VOIP_SERVER_196
host 192.168.77.196
nat (inside,outside) source static VOIP_SERVER_196 interface service VOIP_UDP_ASDM VOIP_UDP_ASDM
access-list outside_access_in line 6 extended permit object VOIP_UDP_ASDM any x.x.x.152 255.255.255.248
I notice that there is now a "global" interface that you can configure ACL's on too so have added the ACL to that but to no avail... any thoughts on why that should be failing.... I can't quite see what is wrong with that!
On a side note with this release the NAT configuration in the GUI looks utterly terrifying but so much more straight forward on the CLI!
elmoasa# packet-tracer input outside udp 82.77.77.77 1234 x.x.x.154 6$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 109.224.146.154 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER
Ahh.. just read the answer to my own question, need to use the original address in the ACL rather than the global address! :-)
/kvistofta