Port forward a range on a PIX520

Unanswered Question
Apr 28th, 2008
User Badges:

I am tring to forward 2 ranges of ports from my outside interface ip to a host on the inside interface. The outside interface is natted so that all inside hosts use it's single IP for general use.


I have 2 ranges, 5096 - 5099 and 17300 - 17440 to forward to one host. I can create a service group object with the ranges in it but I can't seem to find the right syntax or menthod to use it in the access-list and static command.


Thanks for any help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rkalia1 Mon, 04/28/2008 - 04:56
User Badges:

Use following syntax :


access-list TEST permit tcp host x.x.x.x eq range 5096 5099 host y.y.y.y eq range 5096 5099


access-list TEST permit tcp host x.x.x.x eq range 17300 17440 host y.y.y.y eq range 17300 17440


deanwesthead Mon, 04/28/2008 - 05:45
User Badges:

Hi, Just tried that and it doesn't like the "range" option.


I have tried :


access-list test permit udp x.x.x.x eq range 5096 5099 host x.x.x.x eq range 5096 5099


It just reports an error of " Invalid Port Range"



deanwesthead Mon, 04/28/2008 - 05:27
User Badges:

The PDM says it's PIX version 6.3(5) and PDM Version 3.0(4). I think thats the latest one for the PIX520 as V7 is not supported on it.

rkalia1 Mon, 04/28/2008 - 06:27
User Badges:

try this :


access-list TEST permit tcp any host x.x.x.x eq 50960-5099


access-list TEST permit tcp any host x.x.x.x eq 17300-17440

** Where x.x.x.x is the real IP of the inside host.

You will also have to have Static commands like this :


static (inside, outside) tcp interface 5096 x.x.x.x 5096 netmask 255.255.255.255

static (inside, outside) tcp interface 5097 x.x.x.x 5097 netmask 255.255.255.255

static (inside, outside) tcp interface 5098 x.x.x.x 5098 netmask 255.255.255.255

static (inside, outside) tcp interface 5099 x.x.x.x 5099 netmask 255.255.255.255


then apply this access-list on the outside interface of PIX :


access-group TEST in interface outside


** Static command does not have any format to apply the ports as a range. It has to be done individually for all the ports in the range.


rkalia1 Mon, 04/28/2008 - 06:28
User Badges:

Read the first line in my earlier post as :


access-list TEST permit tcp any host x.x.x.x eq 5096-5099


Sorry for the typo.

Actions

This Discussion