Port Forwarding a range of ports

Lessons Discussion
1

I have read your lesson on Cisco ASA NAT Forwarding single ports through an ASA.

We have a phone system server that will require a range of ports opening to it from outside.
e.g. we will need to forward udp ports 9000 to 9500 to a single host on the inside.

Can you advise me on how the CLi will be different to port forwarding a single port. Also does the Access List command change as well.

Thanks
Amjad Shakeel

2

Hi @amjad

It is similar, here is an example for a simple network with an INSIDE + OUTSIDE, the phone server is on 192.168.1.1.

ASA1(config)# object network PHONE_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# exit

ASA1(config)# object service PHONE_PORTS
ASA1(config-service-object)# service udp destination range 9000 9500

ASA1(config)# nat (OUTSIDE,INSIDE) source static any any destination static interface PHONE_SERVER service PHONE_PORTS PHONE_PORTS

ASA1(config)# access-list OUTSIDE_TO_INSIDE extended permit udp any object PHONE_SERVER range 9000 9500

ASA1(config)# access-group OUTSIDE_TO_INSIDE in interface OUTSIDE
3

Thanks @ReneMolenaar Will set this up today.

4

Thanks for your help I have another question if you could help me.

We have a phone server whose local IP Address is say 10.2.50.110 and we want to do the following:

  1. Make it so that the phone server only communicate’s outside using a different public IP 195.66.240.10 this is different from the public IP on the outside interface.
  2. Set-up port forwarding so that the following ports udp/9000-9500, udp/5060 are forwarded using the above public IP Address.

Thanks for your help.
Amjad

5

Hmm you should test it but I think replacing “interface” in the NAT statement should do it:

object network PHONE_SERVER_PUBLIC_IP
host 10.2.50.110

nat (OUTSIDE,INSIDE) source static any any destination static PHONE_SERVER_PUBLIC_IP PHONE_SERVER service PHONE_PORTS PHONE_PORTS