Cisco ASA – Port Forward a ‘Range of Ports’

This comes up on forums a lot, some applications and most phone systems require a ‘LOT’ of ports to be open. Normally thats fine you just give the internal IP a static public IP and open the ports. But what if you don’t have a spare public IP? I’ve already covered port forwarding before.

Cisco PIX / ASA Port Forwarding

Until version 8.4 you couldn’t even do this, you needed to create a translation for each port! Note: There is a bug in versions 9.0 and 9.1 that can stop this working, so check your OS with a ‘Show Ver’ command to be sure.

As I said this come up a lot on forums so when it asked on EE the other day, I fired up GNS3 and works out how to do it. Here is my topology;


Network Topology

So I will setup ‘port forwarding’ from the outside interface of ASA-1 for TCP ports 1000 to 2000 to then Internal Server (10.2.2.10).

1. Setup object groups for your internal server and for the range of ports you are going to forward.

!
object network Obj-Internal-Server
 host 10.2.2.10
!
object service Obj-Ports-Range
 service tcp destination range 1000 2000
!

2. Then allow the traffic in with an ACL See MY WARNING before doing this.

!
access-list inbound extended permit tcp any host 10.2.2.10 range 1000 2000
!
access-group inbound in interface outside
!

3. Perform the PAT translation from the outside interface to the internal server.

!
nat (outside,inside) source static any any destination static interface Obj-Internal-Server service Obj-Ports-Range Obj-Ports-Range
!

Note: A lot of people ask to ‘port forward’ a range of ports when they actually mean ‘I would like to open a range of ports to an internal IP address’. Thats essentially just a one-to-one static NAT. I’ve already covered that before, but in our example i use a spare public ip 192.168.253.100.

!
object network Obj-External-Server
 host 192.168.253.100
!
object network Obj-Internal-Server
 host 10.2.2.10
 nat (inside,outside) static Obj-External-Server
!
access-list inbound permit tcp any host 10.2.2.10 range 1000 2000
!
access-group inbound in interface outside

Author: PeteLong

Share This Post On

8 Comments

  1. Pete – How do you do port forwarding for multiple services to one inside host?

    Post a Reply
    • Hi Tibby – what services?

      P

      Post a Reply
  2. ERROR: NAT unable to reserve ports.

    Post a Reply
    • Usually seen if you have HTTPS or SSH in the list, the firewall has these reserved?

      Pete

      Post a Reply
  3. I’m on version 8.2 and unable to upgrade to a later version due to expired support contract with Cisco. to make things worse, the customer has only one usable public IP froma /30 public IP network. so there are only 2 usable and the ISP uses one for their router already as our gateway. All the Cisco docs on 8.2 state that a range cannot be used adding the Static PAT rules, and the answer is to one-to-one it to an unused IP in the public block, which we don’t have. All we have is the same IP that is used for SNAT. I seem to remember some CCIE coming in and saving the day on a similar issue several years ago on 8.2, but I can’t recall exactly what they did. any suggestions? Cisco is saying we have to map each RTP port with it’s own statement for udp 10000 – 20000..but that’s 10001 separate NAT statements! That can’t be right. We had a real UTM device in there that got zapped last week and have had to fall back onto an old ASA 5520 with cli 8.3

    Post a Reply
    • Cisco are correct thats how it used to be done! Your code is ten years old, you need a new firewall.

      Post a Reply
  4. Thanks so much for this post as it really helped me resolve a problem on a 5506-x with 9.x. One question for you that got me. I originally build the nats with the port ranges like so which I found on a cisco article here: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

    nat (inside,outside) source static obj_host interface service obj_port_range obj_port_range

    This was a valid nat but the outside interface didn’t seem to relay the ports as intended.

    Once I created it with your example outside,inside it started working as intended. I think the thing that confused me this that when you do a NAT at the network object level it seems to work fine on a standard port map but it didn’t work this way building it as a normal nat rule.

    Post a Reply
    • Thank for the feedback, I’ve struggled with this myself in the past, (hence the post). I just hammered away at it until it worked!

      Regards,

      Pete

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *