Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port forward a range on a PIX520

I am tring to forward 2 ranges of ports from my outside interface ip to a host on the inside interface. The outside interface is natted so that all inside hosts use it's single IP for general use.

I have 2 ranges, 5096 - 5099 and 17300 - 17440 to forward to one host. I can create a service group object with the ranges in it but I can't seem to find the right syntax or menthod to use it in the access-list and static command.

Thanks for any help.

6 REPLIES
New Member

Re: Port forward a range on a PIX520

what IOS version you are running ?

New Member

Re: Port forward a range on a PIX520

Use following syntax :

access-list TEST permit tcp host x.x.x.x eq range 5096 5099 host y.y.y.y eq range 5096 5099

access-list TEST permit tcp host x.x.x.x eq range 17300 17440 host y.y.y.y eq range 17300 17440

New Member

Re: Port forward a range on a PIX520

Hi, Just tried that and it doesn't like the "range" option.

I have tried :

access-list test permit udp x.x.x.x eq range 5096 5099 host x.x.x.x eq range 5096 5099

It just reports an error of " Invalid Port Range"

New Member

Re: Port forward a range on a PIX520

The PDM says it's PIX version 6.3(5) and PDM Version 3.0(4). I think thats the latest one for the PIX520 as V7 is not supported on it.

New Member

Re: Port forward a range on a PIX520

try this :

access-list TEST permit tcp any host x.x.x.x eq 50960-5099

access-list TEST permit tcp any host x.x.x.x eq 17300-17440

** Where x.x.x.x is the real IP of the inside host.

You will also have to have Static commands like this :

static (inside, outside) tcp interface 5096 x.x.x.x 5096 netmask 255.255.255.255

static (inside, outside) tcp interface 5097 x.x.x.x 5097 netmask 255.255.255.255

static (inside, outside) tcp interface 5098 x.x.x.x 5098 netmask 255.255.255.255

static (inside, outside) tcp interface 5099 x.x.x.x 5099 netmask 255.255.255.255

then apply this access-list on the outside interface of PIX :

access-group TEST in interface outside

** Static command does not have any format to apply the ports as a range. It has to be done individually for all the ports in the range.

New Member

Re: Port forward a range on a PIX520

Read the first line in my earlier post as :

access-list TEST permit tcp any host x.x.x.x eq 5096-5099

Sorry for the typo.

130
Views
0
Helpful
6
Replies