Port Forwarding Ranges on ASA 5505

Unanswered Question
Oct 1st, 2009

Hello,

I am trying to replace a Linksys WRT54G with a ASA 5505.

I am trying to replicate the port forwarding of ranges (UDP/TCP) to specific hosts that is offered by the Linksys product.

I have been searching via Google and this forum for answers to how to solve this issue. I found this post and it looked promising:

-----------------------------------------------

static (inside,outside) interface access-list Range1

static (inside,outside) interface access-list Range2

access-list Range1 permit udp host 192.168.1.239 any range 5060 5069

access-list Range2 permit tcp host 192.168.1.239 any range 32000 32999

-----------------------------------------------

However, my ASA 5505 returns an error when I try this. The error message is as follows:

ERROR: Protocol mismatch between static and access-list.

Has anyone tried to solve this issue before, what does the error message mean and how to I achieve the port forwarding of ranges?

Thanks for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lusbyr Thu, 10/01/2009 - 15:54

What license type is on your ASA-5505? I have a base license.

When I entered the static(inside,outside) interface access-list Range1 command I still get the error:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.

WARNING: Users will not be able to access any service enabled on the outside interface.

ERROR: Protocol mismatch between the static and access-list

Thanks.

lusbyr Fri, 10/02/2009 - 08:39

There can be only one static (inside,outside) entry on the ASA 5505 at a time?

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

In all the posts I have ran across while searching how to port forward ranges, the common factor seems to be creating an access-list that permits the traffic and then performing static PAT to perform the translation. Are the access lists that permit the inbound traffic different that the access-lists for the static PAT?

Thanks.

Collin Clark Fri, 10/02/2009 - 12:48

You can have multiple statics, but you can not have multiple statics pointing to the same internal host.

You can enter the the commands above in 7.x code, but not 8.x code I just tested both versions and I only get the Protocol mismatch error in 8.x code. You might want to open a TAC case and have them help you. We would certainly appreciate it if you could post a working config when done!

Collin Clark Fri, 10/02/2009 - 13:07

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

Yes this is correct.

lusbyr Fri, 10/02/2009 - 13:12

Collin,

Thanks for you help. I am running the 8.x code, are you stating that only the 7.x code supports the static commands given in the example?

I will open a TAC case and see if I can get some help coming up with a solution.

Actions

This Discussion