CIsco ASA question

Cisco ASA 5505
OS Ver. 7.2

We have one public IP.  Currently we have a few ports open forwarded to an internal PC.   Everything working good.  We need to open a few other ports listed below to a different internal PC.  How would we set this up?  I know how to do this if we had more than 1 Public IP, but we just have the 1.

Ports we need opened:

5060 UDP  inbound to 10.0.0.2
1024-1252 UDP inbound to 10.0.0.2
8000 TCP inbound to 10.0.0.2


Current config:

ASA Version 7.2(4)
!
hostname CiscoASA
domain-name default.domain.invalid
enable password CiscoASA encrypted
passwd CiscoASA encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Public-IP 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit tcp any host Public-IP eq 3389
access-list tunneled extended permit ip host VPN-IP host 1.2.3.83
access-list tunneled extended permit ip host VPN-IP host 1.2.3.86
access-list tunneled extended permit ip host VPN-IP host 1.2.3.50
access-list policy-nat extended permit ip host 10.0.0.30 1.2.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.0.0.35 3389 netmask 255.255.255.255
static (inside,outside) VPN-IP  access-list policy-nat
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 ISP-IP 1



Thanks


LVL 4
shard26Asked:
Who is Participating?
 
TheTullCommented:
I believe if you update to the latest 8.x OS version (you are on 7.2) you can create objects that specify port ranges, then you can reference those objects in the static NAT range.  Check out this Cisco forum thread: https://supportforums.cisco.com/thread/2087346 

I don't recall version 7.2 of the ASA OS having that feature, but I could be wrong.
0
 
Sam SawalhiIT ConsultantCommented:
this is to open by range of ports

access-list outside_access_in extended permit udp any host 'public ip' range 10000 20000
static (inside, outside) interface 'private ip' 'public ip' netmask 255.255.255.255
access-group outside_access_in in interface outside

or

add this line to your outside interface access list.


access-list <AccessListName> extended permit tcp any host <ServerIP> eq 3390


I hope this helps!
Thank you
Sam
0
 
shard26Author Commented:
So I could simply add:

access-list outside_acl extended permit udp any host Internal-IP eq sip
access-list outside_acl extended permit tcp any host Internal-IP eq 8000
access-list outside_acl extended permit udp any host Internal-IP range 1024 1252

I thought the public-IP had to go there.

Also, I don't need to make a new Access-List?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
TheTullCommented:
You can add the new ports to your existing outside ACL and then just add new static NAT entries that map the ports to an internal IP address (you already have one for port 3389).  You can use a single public IP address as long as you have the right static NAT entries that ensure certain ports go to certain internal IP addresses.
0
 
shard26Author Commented:

can you do a range of ports in a static command?

static (inside,outside) tcp interface range 1024 1252 10.0.0.2 1024 1252 netmask 255.255.255.255
0
 
shard26Author Commented:
so it would be more like this?

access-list outside_acl extended permit udp any host Public-IP eq sip
access-list outside_acl extended permit tcp any host Public-IP eq 8000
access-list outside_acl extended permit udp any host Public-IP range 1024 1252

static (inside,outside) udp interface 5060 10.0.0.2 5060 net mask 255.255.255.255
static (inside,outside) tcp interface 8000 10.0.0.2 8000 net mask 255.255.255.255
static (inside,outside) tcp interface range 1024 1252 10.0.0.2 range 1024 1052 net mask 255.255.255.255

I am trying to find a way to avoid entering in 230 static commands

0
 
shard26Author Commented:
the object commands do work in 7.2

so I added this:

object-group service phone udp
 description phone ports
 port-object range 1024 1087

access-list outside_acl extended permit udp any host Public-IP range 1024 1087


but how do I add the corresponding static command:

static (inside,outside) udp interface ? 10.0.0.2 ? net mask 255.255.255.255

0
 
shard26Author Commented:


I was hoping it would be something like

static (inside,outside) udp interface phone 192.168.1.241 phone net mask 255.255.255.255

since I named the object group "phone",  but alas its not that easy



0
 
TheTullCommented:
Does this command work in ASA 7.2 OS?:

nat (inside,outside) source static 192.168.1.241 interface services phone phone

That looks to be the syntax at least in version 8.x  (sorry, I don't have an ASA handy to test with myself).
0
 
shard26Author Commented:
that won't over-ride the traffic I already have going to the other internal IP?

0
 
shard26Author Commented:
or it will only affect the "phone" traffic?

0
 
TheTullCommented:
If the syntax and setup is correct it shouldn't impact the other traffic, but if it does the ASA should let you know about it overlapping.  I would try to do a test if you can somehow, or else do it during non-critical hours.
0
 
shard26Author Commented:

Hostname(config)# nat (inside,outside) source static 192.168.1.241 interface $

nat (inside,outside) source static 192.168.1.241 interface services phone phone
                 ^
ERROR: % Invalid input detected at '^' marker.

(within the CLI the error is pointing at the comma)
0
 
TheTullCommented:
Looks like a syntax issue with that command.  I don't have an ASA with version 7.x handy to test with so I can't try anything out myself, you may have to play around with the commands to see if something works, otherwise consider upgrading to version 8.x.  
0
 
shard26Author Commented:
we just added the rules manually.  thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.