Pix 506e 6.1(4) and range of udp ports

rogervanstone · ‎02-12-2009

Hi all,

I think i know the answer to this but i will try anyway, i support a pix 506e ver 6.1(4) (yes i know its old), which has been fine for what it needs to do for the last several years. However i now need to open a range of ports to a host on the internal network. I know how to setup a mapping for a small number of ports ( i use access-lists and static in,out) however i cannot see if there is a way to include a range of ports in the static command. Is this possible ?. If not is there another way that could be used. Ive used the range command in the access-list but cannot see how to tie this into a static command. There is no current maintenance on this pix.

I can provide a listing if required. I've done a google for various ideas but nothing comes up apart from the obvious upgrade solution.

Ivan Martinon · ‎02-12-2009

Unfortunately, note even upgrading your pix will your be able to tie a range or ports to a single static entry. You will need to use static port mapping for each of the ports on the range.

rogervanstone · ‎02-12-2009

Thanks for the reply. I'm not sure i fully understand it though. There must be a way of port forwarding a range of ports other than by access-list and static mapping to particular internal hosts. I know pix ver 6.3 has object-groups (?) that can be used. All i want to do is portward a very large number of ports to one particular host (in the order of 10000).

Ivan Martinon · ‎02-12-2009

Sorry, I wish I could give you anonther answer, there is no way to do a port forward via a static for a range of ports other than adding each port with the static port map:

http://www.cisco.com/en/US/docs/security/pix/pix61/command/reference/s.html#wp1026694

Your best option would be to just create a one to one translation which will cover all of the ports in the range