Cisco ASA 8.4+ redirect multiple ports - best practice?

Question

I was wondering whether anyone could advice on best practices as to the best way to redirect multiple ports for single host in the internal network.

As I understand this you can only nat a single port per object. This caused a bit of a litter around in a config as I have to specify individual objects for the same host (IP) to redirect individual ports.

It looks as follows:

object network ratatouille-4569
 nat (inside,outside) static interface service udp 4569 4569 
object network ratatouille-ssh
 nat (inside,outside) static interface service tcp ssh ssh 

Now this approach have few obvious problems (especially if you've more complex/more rules) eg. if you need to change that internal host's IP address, you've to do this for each object individually.

In this specific case, I have 7 ports to redirect to this specific host.

I'd appreciate any advice about best-practice as how to do this.

Answer 1

It's imposible. You need to either specify each of the mapped ports manually or just set up a regular static NAT for all the TCP / UDP ports:

object network ratatouille
 nat (inside,outside) static interface

Answer 2

... and control desired ports with ACL assigned to outside interface

access-list ratatouille-port-control permit tcp any host ratatouille.inside.IP eq 22 access-list ratatouille-port-control permit tcp any host ratatouille.inside.IP eq 4569 access-list ratatouille-port-control permit tcp any host ratatouille.inside.IP eq 8080 access-group ratatouille-port-control outside in