asa 5510 9.1(6) Port forwarding

I have an external IP 176.x.x.188 that needs to accept multiple external connections and forward traffic to 192.168.100.9 on a port range 10500 - 10600, having trouble making it work.

So something like:

Object network obj-176.x.x.188
host 176.x.x.188

Object network obj-192.168.100.9
host 192.168.100.9

Object network rng-10500.600
range 10500 10600

nat (inside,outside) source static obj-192.168.100.9

access-list outside_in permit tcp any host obj-176.x.x.188 range rng-10500.600
LVL 1
JeffDeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bamsiCommented:
If i remember correctly, the new IOS needs you to add permissive rule for the REAL IP, instead of the NAT'ed one.

Can you try if this code will fix your issue

object network obj-192.168.100.9
host 192.168.100.9
!
access-list outside_in permit tcp any host obj-192.168.100.9 range rng-10500.600
!
object network obj-176.x.x.188
 host 176.x.x.188
!
Object network rng-10500.600
range 10500 10600
!
nat (outside,inside) source static obj-176.x.x.188 service rng-10500.600
Pete LongTechnical ConsultantCommented:
Not sure you can port forward a 'range' ? Unless this is a new feature, you never could in the past?
Pete LongTechnical ConsultantCommented:
Yeah you can't add a range to a service object

Petes-ASA(config)# object service Obj-Ports-Range
Petes-ASA(config-service-object)# range 1000 2000
                                                                   ^
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Pete LongTechnical ConsultantCommented:
And the range in a network object is for IP addresses?

Petes-ASA(config)# object network Obj-Ports-Range
Petes-ASA(config-network-object)# ?

  description  Specify description text
  fqdn         Enter this keyword to specify an FQDN
  help         Help for network object configuration commands
  host         Enter this keyword to specify a single host object
  nat          Enable NAT on a singleton object
  no           Remove an object or description from object
  range        Enter this keyword to specify a range
  subnet       Enter this keyword to specify a subnet
Petes-ASA(config-network-object)# ra
Petes-ASA(config-network-object)# range 1000 2000
                                                                      ^
ERROR: % Invalid input detected at '^' marker.
Petes-ASA(config-network-object)# range ?        

network-object mode commands/options:
  A.B.C.D  Enter start IP address
JeffDeveloperAuthor Commented:
I was afraid someone would say that. In my Pix I had to individually put in each line of the forward. Is the format the same in 9.1 as it was in 6.2?
Pete LongTechnical ConsultantCommented:
This works but Im struggling with the ACL

!
object service Obj-Ports-Range
 service tcp source range 1000 2000
!
Pete LongTechnical ConsultantCommented:
Right,

Are you sure you are port forwarding?

whats 176.x.x.188? You port forward off an interface NOT an IP address?

P
Pete LongTechnical ConsultantCommented:
OK - I never give up on a problem, you said you want to do port forwarding, On my test Rig

Test Network
Here I PORT FORWARD ports 1000 to 2000 from the outside interface to the the Internal Server (10.2.2.10)
!
object network Obj-Internal-Server
 host 10.2.2.10
!
object service Obj-Ports-Range
 service tcp destination range 1000 2000
!
access-list inbound extended permit tcp any host 10.2.2.10 range 1000 2000
!
access-group inbound in interface outside
!
nat (outside,inside) source static any any destination static interface Obj-Internal-Server service Obj-Ports-Range Obj-Ports-Range
!

However you mention outside IP addresses? that's a one to one static NAT rule? so below I use a spare public IP (192.168.253.100) to open a range of ports to the same internal server.

!
object network Obj-External-Server
host 192.168.253.100
!
object network Obj-Internal-Server
host 10.2.2.10
nat (inside,outside) static Obj-External-Server
!
access-list inbound permit tcp any host 10.2.2.10 range 1000 2000
!
access-group inbound in interface outside
!



Both of these methods Ive tested and work (Note: you need to be above version 8.4, and version 9.0 and 9.1 have a port forwarding bug that stops the port forward method working).



Regards,


Pete

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JeffDeveloperAuthor Commented:
I apologize for the lack of response. Issues with a major project at work have been consuming my time.

You mention that 9.0 and 9.1 have a bug that stops the port forward method from working. I am running 9.1(6) so I am guessing that I will need to bust out the port to port connection individually as I did in my PIX?... Here is how I had it configured in my PIX.

There is a server sitting at 192.168.100.9 that is listening on port range 10500 10600.
External address 176.x.x.188 is dedicated to the system.

ip address outside 174.x.x.186 255.255.255.248

ip address inside 192.168.100.1 255.255.255.0

nat (inside) 10 192.168.100.0 255.255.255.0 0 0

access-list outside_access_in permit tcp any host 176.x.x.188 range 10500 10600

static (intf2,outside) tcp 176.x.x.188 10510 192.168.100.9 10510 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10511 192.168.100.9 10511 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10512 192.168.100.9 10512 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10513 192.168.100.9 10513 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10514 192.168.100.9 10514 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10515 192.168.100.9 10515 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10516 192.168.100.9 10516 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10517 192.168.100.9 10517 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10518 192.168.100.9 10518 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10519 192.168.100.9 10519 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 174.x.x.185 1
JeffDeveloperAuthor Commented:
I was basically hoping to avoid all of the individual static entries.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.