JORGE RODRIGUEZ Mon, 08/06/2007 - 07:27
User Badges:
  • Green, 3000 points or more

yes it is posible.


Here is an example of port range, accessing and inside host from the outside.


Three steps:

1- Create one-to-one static NAT for inside host

2- Create object group with port range

3- Create access list and apply to ouside interface.



for sake of example 10.10.10.1 is a host on your inside interface, 20.20.20.1 is NATed address for 10.10.10.1 comming from the oustide interface.


1- create static nat

static (inside,outside) 20.20.20.1 10.10.10.1 netmask 255.255.255.255 0 0


2- create object group

example creating TCP port range of 4000 to 4500



object-group service TEST tcp

port-object range 4000 4500



3- create access-list and apply to outside interface.


Example creating access list applying port range , any host ouside accessing 20.20.20.1


access-list outside_access_in permit tcp any host 20.20.20.1 object-group TEST

access-group outside_access_in in interface outside



HTH


Jorge

srue Mon, 08/06/2007 - 09:37
User Badges:
  • Blue, 1500 points or more

here's an example where you need to translate ports 1024-1030 for example, and 25, 80. Internal host is 192.168.1.1, external address will be 31.1.1.1

access-list 101 permit tcp host 192.168.1.1 range 1024 1030 any

access-list 101 permit tcp host 192.168.1.1 eq 25 any

access-list 101 permit tcp host 192.168.1.1 eq 80 any

static (inside,outside) 31.1.1.1 access-list 101


to translate a different inside host to another port with same external address not previously listed, simply add another acl entry:

access-list 101 permit tcp host 192.168.1.2 eq 443 any


From here, you can add your normal inbound acl's to the external interface permitting access to these ports.


note - you could use object-groups to reduce the size of the acl


Alternatively, you could have used port redirection - aka static PAT. imho the method above scales better, especially since you needed a range of ports translated.. but thats just a personal preference.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

srue Mon, 08/06/2007 - 10:21
User Badges:
  • Blue, 1500 points or more

I tried testing my above config on a 7.2(2) pix and it didn't work...looks like you might just have to do static PAT entries for each port number in your range.

so much for my grand ideas.

a.liotych Tue, 08/07/2007 - 00:37
User Badges:

I've tried to do as you say. I've got an error!!

access-list 101 permit tcp host 192.168.1.1 range 1024 1030 any

static (inside,outside) 31.1.1.1 access-list 101

ERROR: access-list port specifies a range


srue Tue, 08/07/2007 - 02:52
User Badges:
  • Blue, 1500 points or more

i tried it too...while it accepted all the commands, it didn't actually work properly.

what version pix are you running?

a.liotych Thu, 08/09/2007 - 05:11
User Badges:

access-list 101 permit tcp host 192.168.1.1 range 1024 1030 any

static (inside,outside) 217.21.54.103 access-list 101

ERROR: access-list port specifies a range

rigoberto.cintr... Thu, 08/09/2007 - 05:36
User Badges:

Just create a new access-list with the host and port range you want applied to the outside interface.

Actions

This Discussion