pix 6.3.5 forwarding a range of ports to internal IP

Unanswered Question
Jan 9th, 2007
User Badges:

I have a pix with one static outside IP address and have been asked to forward a whole bunch of UDP and TCP to an internal (natted) IP address. I have done static mappings before but for only single port numbers.


Below is the range of ports to forward

qsig 4029 tcp

qsig1 6400-8191 tcp

ras 1718-1719 udp(already in fixup)

rtp/rtcp 1500-1503 udp

megaco+ 2944 tcp

rtp/rtcp1 16384-16511udp

rtp/rtp2 20480-24575udp


presumably I have to define these ranges in access lists but is there a way of defining the static mapping to a name or "port object" group rather than write out the mappings line at a time for each port number?


cheers in advance


G

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
gordinho01 Tue, 01/09/2007 - 10:45
User Badges:

Thanks for the link. After doing a bit of research (bit new to port object grouping) I have created the following group objects


object-group service qsig1_tcp tcp

port-object range 6400 8191

object-group service rtp_udp udp

port-object range 1500 1503

object-group service rtp1_udp udp

port-object range 16384 16511

object-group service rtp2_udp udp

port-object range 20992 24575

object-group service rtp3_udp udp

port-object range 20480 20991


now I've added the following access list lines


access-list internet permit tcp any host object-group qsig1_tcp

access-list internet permit udp any host object-group rtp_udp

access-list internet permit udp any host object-group rtp1_udp

access-list internet permit udp any host object-group rtp2_udp

access-list internet permit udp any host object-group rtp3_udp


but now I'm stuck with respect to mapping the object-group to the natted LAN IP


any ideas?

gordinho01 Tue, 01/09/2007 - 11:29
User Badges:

Thanks for replying. I am unsure as to the implication of adding that line.


"static (inside,outside) tcp 1.1.1.1 640 access-list (name)"


the pix in question already has a bunch of static mappings to other internal/natted IP's and the access list "internet" also covers these out to in permits.


----

static (inside,outside) tcp interface ftp-data 192.168.2.253 ftp-data netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.2.253 ftp netmask 255.255.255.255 0 0

static (inside,outside) udp interface snmp 192.168.2.253 snmp netmask 255.255.255.255 0 0

static (inside,outside) udp interface snmptrap 192.168.2.253 snmptrap netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 2944 192.168.2.251 2944 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 4029 192.168.2.251 4029 netmask 255.255.255.255 0 0

--------

gordinho01 Fri, 01/12/2007 - 04:36
User Badges:

thanks for taking time to look at this. The client gave me a second external IP I could define on the pix in a static + access list so I just forwarded all those object groups...bit of a cop out I know...thanks anyway


G

Actions

This Discussion