ASA Firewall static PAT Port range Test 04/08 Update SLTechnology News&Howtos

ASA Firewall static PAT Port range Test

2025-04-08 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

one。 Test Topology

two。 Test idea

1. Test the continuous port PAT of tcp and udp respectively

two。 Then use the static port translation tool to convert the TCP port and the udp port to a common port for testing.

-convert tcp to TCP23 and test with telnet

-convert udp to UDP514 and send it to syslog for testing

3. For the convenience of testing, the firewall only has two zones, Outside and Inside

-Map the TCP1000~2000 of the Inside server to the TCP1000~2000 of the Outside port of the firewall

-Map the UDP1000~2000 of the Inside server to the UPD2000~3000 of the Outside port of the firewall

4. The test found that if the TCP port range is the same as the UDP port range and the second NAT is not configured, the following error will be reported:

ERROR: NAT unable to reserve ports.

three。 Basic configuration

1.Outside server

IP:202.100.1.8/24

two。 Firewall ASA842

Interface GigabitEthernet0

Nameif Outside

Security-level 0

Ip address 202.100.1.10 255.255.255.0

Interface GigabitEthernet1

Nameif Inside

Security-level 100

Ip address 10.1.1.10 255.255.255.0

3.Intside server

IP:10.1.1.8/24

GW:10.1.1.10

four。 Static PAT port range configuration

1. Define Port range object

Object network Inside_Server

Host 10.1.1.8

Object service tcp_ports

Service tcp destination range 1000 2000

Object service udp_ports

Service udp destination range 2000 3000

two。 Configure twice-nat

Nat (outside,inside) source static any any destination static interface Inside_Server service tcp_ports tcp_ports

Nat (outside,inside) source static any any destination static interface Inside_Server service udp_ports udp_ports

3. Configure and apply firewall policies

Access-list Outside extended permit tcp any object Inside_Server range 1000 2000

Access-list Outside extended permit udp any object Inside_Server range 2000 3000

Access-group Outside in interface Outside

4. Test verification

-can be verified in a variety of ways. If static port conversion is too troublesome, you can directly grab the packet for verification.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.