10-01-2009 10:13 AM - edited 03-11-2019 09:22 AM
Hello,
I am trying to replace a Linksys WRT54G with a ASA 5505.
I am trying to replicate the port forwarding of ranges (UDP/TCP) to specific hosts that is offered by the Linksys product.
I have been searching via Google and this forum for answers to how to solve this issue. I found this post and it looked promising:
-----------------------------------------------
static (inside,outside) interface access-list Range1
static (inside,outside) interface access-list Range2
access-list Range1 permit udp host 192.168.1.239 any range 5060 5069
access-list Range2 permit tcp host 192.168.1.239 any range 32000 32999
-----------------------------------------------
However, my ASA 5505 returns an error when I try this. The error message is as follows:
ERROR: Protocol mismatch between static and access-list.
Has anyone tried to solve this issue before, what does the error message mean and how to I achieve the port forwarding of ranges?
Thanks for your help.
10-01-2009 03:31 PM
Try this:
access-list Range1 permit udp host 192.168.1.239 any range 5060 5069
access-list Range1 permit tcp host 192.168.1.239 any range 32000 32999
static (inside,outside) interface access-list Range1
Seemed to work ok on my test ASA5505. Well the command worked, I didnt pass traffic over it to test that....
10-01-2009 03:54 PM
What license type is on your ASA-5505? I have a base license.
When I entered the static(inside,outside) interface access-list Range1 command I still get the error:
WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users will not be able to access any service enabled on the outside interface.
ERROR: Protocol mismatch between the static and access-list
Thanks.
10-01-2009 08:57 PM
I'm using 7.2.3 Base license.
Make sure you've removed the other old static that you had configured. You can't have 2 of them configured at the same time. You need to just have the one that you're trying to get to work setup.
10-02-2009 08:39 AM
There can be only one static (inside,outside) entry on the ASA 5505 at a time?
I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?
In all the posts I have ran across while searching how to port forward ranges, the common factor seems to be creating an access-list that permits the traffic and then performing static PAT to perform the translation. Are the access lists that permit the inbound traffic different that the access-lists for the static PAT?
Thanks.
10-02-2009 12:48 PM
You can have multiple statics, but you can not have multiple statics pointing to the same internal host.
You can enter the the commands above in 7.x code, but not 8.x code I just tested both versions and I only get the Protocol mismatch error in 8.x code. You might want to open a TAC case and have them help you. We would certainly appreciate it if you could post a working config when done!
10-02-2009 01:07 PM
I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?
Yes this is correct.
10-02-2009 01:12 PM
Collin,
Thanks for you help. I am running the 8.x code, are you stating that only the 7.x code supports the static commands given in the example?
I will open a TAC case and see if I can get some help coming up with a solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide