Open port range Cisco ASA5505

Hi I have some problems opening udp ports 6000-6003 to a computer on the inside.. I think the problem is my NAT because I dont get how to make it for the range 6000-6003. I will just post most of the running config and see if you can tell me where im failing.
ASA ver: 8.4(2)
ASDM: 6.4(5)


Result of the command: "sh ru"

: Saved
:
ASA Version 8.4(2) 
!
hostname HOST1
enable password ********************* encrypted
passwd ******************** encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 22
!
interface Ethernet0/4
 switchport access vlan 32
!
interface Ethernet0/5
 switchport access vlan 42
!
interface Ethernet0/6
 switchport access vlan 52
!
interface Ethernet0/7
 switchport access vlan 62
!
interface Vlan1
 nameif HOST1
 security-level 100
 ip address 192.168.101.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ***.***.***.211 255.255.255.248 
!
interface Vlan12
 nameif Naive
 security-level 100
 ip address 192.168.121.1 255.255.255.0 
!
interface Vlan22
 nameif Inside3
 security-level 100
 ip address 192.168.131.1 255.255.255.0 
!
interface Vlan32
 nameif Inside4
 security-level 100
 ip address 192.168.141.1 255.255.255.0 
!
interface Vlan42
 nameif Inside5
 security-level 100
 ip address 192.168.151.1 255.255.255.0 
!
interface Vlan52
 nameif Inside6
 security-level 100
 ip address 192.168.161.1 255.255.255.0 
!
interface Vlan62
 nameif Inside7
 security-level 100
 ip address 192.168.171.1 255.255.255.0 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network outside212
 host ***.***.***.212
 description ***.***.***.212
object network outside213
 host ***.***.***.213
 description ***.***.***.213
object network outside214
 host ***.***.***.214
 description ***.***.***.214
object network FTP_mot_servern
 host 192.168.101.50
 description Server
object network HTTP_mot_servern
 host 192.168.101.50
object network VNC_mot_servern
 host 192.168.101.50
object network Server
 host 192.168.101.50
object network Studio1
 host 192.168.101.11
object network Studio2
 host 192.168.101.12
object network Studio3
 host 192.168.101.13
object network Studio4
 host 192.168.101.14
object network Studio5
 host 192.168.101.15
object network Studio6
 host 192.168.101.16
access-list outside_access_in remark VNC mot servern
access-list outside_access_in extended permit tcp any object Server eq 5900 
access-list outside_access_in remark HTTP mot servern
access-list outside_access_in extended permit tcp any object Server eq www 
access-list outside_access_in remark FTP mot servern
access-list outside_access_in extended permit tcp any object Server eq ftp 
access-list outside_access_in extended permit udp any object Studio1 range 6000 6003 
access-list outside_access_in extended permit udp any object Studio2 range 8000 8003 
access-list outside_access_in extended permit udp any object Studio3 range 7000 7003 
pager lines 24
logging enable
logging asdm informational
mtu HOST1 1500
mtu outside 1500
mtu Naive 1500
mtu Inside3 1500
mtu Inside4 1500
mtu Inside5 1500
mtu Inside6 1500
mtu Inside7 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (HOST1,outside) dynamic interface
object network FTP_mot_servern
 nat (any,outside) static interface service tcp ftp ftp 
object network HTTP_mot_servern
 nat (any,outside) static interface service tcp www www 
object network VNC_mot_servern
 nat (any,outside) static interface service tcp 5900 5900 
object network Studio1
 nat (any,outside) static interface service udp 6000 6000 
object network Studio2
 nat (any,outside) static interface service udp 8000 8000 
object network Studio3
 nat (any,outside) static interface service udp 7000 7000 
!
nat (HOST1,outside) after-auto source dynamic any interface
nat (Naive,outside) after-auto source dynamic any outside212
nat (Inside3,outside) after-auto source dynamic any outside213
nat (Inside4,outside) after-auto source dynamic any outside213
nat (Inside5,outside) after-auto source dynamic any outside213
nat (Inside6,outside) after-auto source dynamic any outside213
nat (Inside7,outside) after-auto source dynamic any outside213
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.101.0 255.255.255.0 HOST1
http ***.***.***.*** 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Open in new window


See where it says:
object network Studio1
 nat (any,outside) static interface service udp 6000 6000

If I change that to udp/6000-6003 it says "any" so I guess im doing something wrong there.
anvendarnamnAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DIPRAJCommented:
i am providing the help in general utm/firewall

for other UTM( i think asa consider as firewall).....

create udp service for port 6000-6003 means source port should be 1024:65535 and destination port would be 6000-6003
if you want perform the activity for a particular system..then create host for that system..means..create a name with ip address

create policy or from host( that you have created) to internet or host to any and allow the udp service you have created.

you can create to and fro( means vice-versa) policy.

just have a try....
0
max_the_kingCommented:
Hi,
i do not understand why did you name VLAN1 interface as "HOST1", with security 100, which you'd rather name "inside" as default and common practice.
You may want to change that, although the error may be in the nat statement:


object network Studio1
host 192.168.101.11
nat (HOST1,outside) static interface service udp 6000 6000
nat (HOST1,outside) static interface service udp 6001 6001
nat (HOST1,outside) static interface service udp 6002 6002
nat (HOST1,outside) static interface service udp 6003 6003

in place of :

object network Studio1
 nat (any,outside) static interface service udp 6000 6000

should you want to change the name of interface, do it before the nat command

int vlan1
no nameif HOST1
nameif inside

 and change the above nat statements accordingly (inside in place of HOST1)

hope this helps
max
0
anvendarnamnAuthor Commented:
This is solved.. dont put any more energy into this... will come back about the points soon..
0
anvendarnamnAuthor Commented:
I ended up doing it without using a range of ports and made one at a time. Thanks for your answers though.
Not sure if I should remove this question or give out points...?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
anvendarnamnAuthor Commented:
Dont know if its possible to open a range of ports but as I didnt have time to look for a way to do this I just made a rule for every port.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.