01-09-2007 08:14 AM - edited 03-11-2019 02:17 AM
I have a pix with one static outside IP address and have been asked to forward a whole bunch of UDP and TCP to an internal (natted) IP address. I have done static mappings before but for only single port numbers.
Below is the range of ports to forward
qsig 4029 tcp
qsig1 6400-8191 tcp
ras 1718-1719 udp(already in fixup)
rtp/rtcp 1500-1503 udp
megaco+ 2944 tcp
rtp/rtcp1 16384-16511udp
rtp/rtp2 20480-24575udp
presumably I have to define these ranges in access lists but is there a way of defining the static mapping to a name or "port object" group rather than write out the mappings line at a time for each port number?
cheers in advance
G
01-09-2007 08:21 AM
sure you can use a port object name for each static entry
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10
01-09-2007 10:45 AM
Thanks for the link. After doing a bit of research (bit new to port object grouping) I have created the following group objects
object-group service qsig1_tcp tcp
port-object range 6400 8191
object-group service rtp_udp udp
port-object range 1500 1503
object-group service rtp1_udp udp
port-object range 16384 16511
object-group service rtp2_udp udp
port-object range 20992 24575
object-group service rtp3_udp udp
port-object range 20480 20991
now I've added the following access list lines
access-list internet permit tcp any host
access-list internet permit udp any host
access-list internet permit udp any host
access-list internet permit udp any host
access-list internet permit udp any host
but now I'm stuck with respect to mapping the object-group to the natted LAN IP
any ideas?
01-09-2007 11:00 AM
static (inside,outside) tcp 1.1.1.1 640 access-list (name)
01-09-2007 11:29 AM
Thanks for replying. I am unsure as to the implication of adding that line.
"static (inside,outside) tcp 1.1.1.1 640 access-list (name)"
the pix in question already has a bunch of static mappings to other internal/natted IP's and the access list "internet" also covers these out to in permits.
----
static (inside,outside) tcp interface ftp-data 192.168.2.253 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.2.253 ftp netmask 255.255.255.255 0 0
static (inside,outside) udp interface snmp 192.168.2.253 snmp netmask 255.255.255.255 0 0
static (inside,outside) udp interface snmptrap 192.168.2.253 snmptrap netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 2944 192.168.2.251 2944 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4029 192.168.2.251 4029 netmask 255.255.255.255 0 0
--------
01-09-2007 11:40 AM
This would allow you to apply the objects in the access-list to the static map.
01-12-2007 04:36 AM
thanks for taking time to look at this. The client gave me a second external IP I could define on the pix in a static + access list so I just forwarded all those object groups...bit of a cop out I know...thanks anyway
G
02-15-2007 01:24 PM
I am having the same issue. How did you link static map to access list and group objects?
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: