KB ID 0001111
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
This comes up on forums a lot, some applications and most phone systems require a ‘LOT’ of ports to be open. Normally thats fine you just give the internal IP a static public IP and open the ports. But what if you don’t have a spare public IP? I’ve already covered port forwarding before.
Until version 8.4 you couldn’t even do this, you needed to create a translation for each port! Note: There is a bug in versions 9.0 and 9.1 that can stop this working, so check your OS with a ‘Show Ver’ command to be sure.
As I said this come up a lot on forums so when it asked on EE the other day, I fired up GNS3 and works out how to do it. Here is my topology;
So I will setup ‘port forwarding’ from the outside interface of ASA-1 for TCP ports 1000 to 2000 to then Internal Server (10.2.2.10).
1. Setup object groups for your internal server and for the range of ports you are going to forward.
! object network Obj-Internal-Server host 10.2.2.10 ! object service Obj-Ports-Range service tcp destination range 1000 2000 !
2. Then allow the traffic in with an ACL See MY WARNING before doing this.
! access-list inbound extended permit tcp any host 10.2.2.10 range 1000 2000 ! access-group inbound in interface outside !
3. Perform the PAT translation from the outside interface to the internal server.
! nat (outside,inside) source static any any destination static interface Obj-Internal-Server service Obj-Ports-Range Obj-Ports-Range !
Note: A lot of people ask to ‘port forward’ a range of ports when they actually mean ‘I would like to open a range of ports to an internal IP address’. Thats essentially just a one-to-one static NAT. I’ve already covered that before, but in our example i use a spare public ip 192.168.253.100.
! object network Obj-External-Server host 192.168.253.100 ! object network Obj-Internal-Server host 10.2.2.10 nat (inside,outside) static Obj-External-Server ! access-list inbound permit tcp any host 10.2.2.10 range 1000 2000 ! access-group inbound in interface outside