Forwarding large port ranges on the ASA

      No Comments on Forwarding large port ranges on the ASA

Here’s another interesting issue that came up on the ASA.  I was doing a deployment for a customer who was getting an IP phone system installed at the same time.  During the install one of the phone guys asked me to forward a number of port ranges to the new phone server.  While I don’t recall the exact numbers, it was something like 5060, 5061, and 1000-2000.  I immediately saw an issue.  You can’t forward port ranges on the ASA.  Take a look at your NAT/PAT options in the CLI or ASDM, you won’t find one for forwarding a range of ports.  You can certainly dump the config off to TFTP, copy the port forward, and paste it back into the config, incrementing the port number by one 999 times if you are bored.  Surprised?  Many are; I hear the “My lower end firewall could do this, you’re telling me Cisco can’t?!?!” phrase a lot.  The long and the short of this debate is that many lower end firewalls wrap the port forward process into one step.  On many firewalls, you simply program the actual forward and the firewall takes care of the ACL creation.  This is not the case with Cisco.  If you have done port forwards before you know it takes a little more work than that.  You need to create an inbound access list (unless you have one already), add the acceptable ports to the ACL, apply it the outside interface, and then create NAT/PAT statements for the actual forward.  So how does one forward a range such as 1000-2000 to a internal IP?  You dedicate an entire external IP to the cause, NAT all of the traffic to the inside IP, and then use your ACL to limit which traffic can actually be NAT’d.  Commands shown below.

-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Create the Inbound ACL for ports you need open
ASA(config)#  access-list outside_access_in extended permit <tcp or udp> any host <public ip> range 10000 20000

NAT the external IP to the private IP
ASA(config)#  static (inside,outside) <public ip> <private ip> netmask

Apply the ACL to the interface
ASA(config)#  access-group outside_access_in in interface outside

Of course if your inbound ACL was already in place you simply add to it and then ensure that its applied to the outside interface.  Make sure that you correctly specify TCP or UDP in the ACL statement.  If you need both TCP and UDP ensure that you create a matching statement for each one.

Leave a Reply

Your email address will not be published. Required fields are marked *