cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1189
Views
8
Helpful
7
Replies

pix 6.3.5 forwarding a range of ports to internal IP

gordinho01
Level 1
Level 1

I have a pix with one static outside IP address and have been asked to forward a whole bunch of UDP and TCP to an internal (natted) IP address. I have done static mappings before but for only single port numbers.

Below is the range of ports to forward

qsig 4029 tcp

qsig1 6400-8191 tcp

ras 1718-1719 udp(already in fixup)

rtp/rtcp 1500-1503 udp

megaco+ 2944 tcp

rtp/rtcp1 16384-16511udp

rtp/rtp2 20480-24575udp

presumably I have to define these ranges in access lists but is there a way of defining the static mapping to a name or "port object" group rather than write out the mappings line at a time for each port number?

cheers in advance

G

7 Replies 7

jim
Level 1
Level 1

Thanks for the link. After doing a bit of research (bit new to port object grouping) I have created the following group objects

object-group service qsig1_tcp tcp

port-object range 6400 8191

object-group service rtp_udp udp

port-object range 1500 1503

object-group service rtp1_udp udp

port-object range 16384 16511

object-group service rtp2_udp udp

port-object range 20992 24575

object-group service rtp3_udp udp

port-object range 20480 20991

now I've added the following access list lines

access-list internet permit tcp any host object-group qsig1_tcp

access-list internet permit udp any host object-group rtp_udp

access-list internet permit udp any host object-group rtp1_udp

access-list internet permit udp any host object-group rtp2_udp

access-list internet permit udp any host object-group rtp3_udp

but now I'm stuck with respect to mapping the object-group to the natted LAN IP

any ideas?

static (inside,outside) tcp 1.1.1.1 640 access-list (name)

Thanks for replying. I am unsure as to the implication of adding that line.

"static (inside,outside) tcp 1.1.1.1 640 access-list (name)"

the pix in question already has a bunch of static mappings to other internal/natted IP's and the access list "internet" also covers these out to in permits.

----

static (inside,outside) tcp interface ftp-data 192.168.2.253 ftp-data netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.2.253 ftp netmask 255.255.255.255 0 0

static (inside,outside) udp interface snmp 192.168.2.253 snmp netmask 255.255.255.255 0 0

static (inside,outside) udp interface snmptrap 192.168.2.253 snmptrap netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 2944 192.168.2.251 2944 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 4029 192.168.2.251 4029 netmask 255.255.255.255 0 0

--------

This would allow you to apply the objects in the access-list to the static map.

thanks for taking time to look at this. The client gave me a second external IP I could define on the pix in a static + access list so I just forwarded all those object groups...bit of a cop out I know...thanks anyway

G

I am having the same issue. How did you link static map to access list and group objects?

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: