I have read your lesson on Cisco ASA NAT Forwarding single ports through an ASA.
We have a phone system server that will require a range of ports opening to it from outside.
e.g. we will need to forward udp ports 9000 to 9500 to a single host on the inside.
Can you advise me on how the CLi will be different to port forwarding a single port. Also does the Access List command change as well.
It is similar, here is an example for a simple network with an INSIDE + OUTSIDE, the phone server is on 192.168.1.1.
ASA1(config)# object network PHONE_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config)# object service PHONE_PORTS
ASA1(config-service-object)# service udp destination range 9000 9500
ASA1(config)# nat (OUTSIDE,INSIDE) source static any any destination static interface PHONE_SERVER service PHONE_PORTS PHONE_PORTS
ASA1(config)# access-list OUTSIDE_TO_INSIDE extended permit udp any object PHONE_SERVER range 9000 9500
ASA1(config)# access-group OUTSIDE_TO_INSIDE in interface OUTSIDE
Thanks @ReneMolenaar Will set this up today.
Thanks for your help I have another question if you could help me.
We have a phone server whose local IP Address is say 10.2.50.110 and we want to do the following:
- Make it so that the phone server only communicate’s outside using a different public IP 184.108.40.206 this is different from the public IP on the outside interface.
- Set-up port forwarding so that the following ports udp/9000-9500, udp/5060 are forwarded using the above public IP Address.
Thanks for your help.
Hmm you should test it but I think replacing “interface” in the NAT statement should do it:
object network PHONE_SERVER_PUBLIC_IP
nat (OUTSIDE,INSIDE) source static any any destination static PHONE_SERVER_PUBLIC_IP PHONE_SERVER service PHONE_PORTS PHONE_PORTS