Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Forwarding Ranges on ASA 5505

Hello,

I am trying to replace a Linksys WRT54G with a ASA 5505.

I am trying to replicate the port forwarding of ranges (UDP/TCP) to specific hosts that is offered by the Linksys product.

I have been searching via Google and this forum for answers to how to solve this issue. I found this post and it looked promising:

-----------------------------------------------

static (inside,outside) interface access-list Range1

static (inside,outside) interface access-list Range2

access-list Range1 permit udp host 192.168.1.239 any range 5060 5069

access-list Range2 permit tcp host 192.168.1.239 any range 32000 32999

-----------------------------------------------

However, my ASA 5505 returns an error when I try this. The error message is as follows:

ERROR: Protocol mismatch between static and access-list.

Has anyone tried to solve this issue before, what does the error message mean and how to I achieve the port forwarding of ranges?

Thanks for your help.

7 REPLIES
New Member

Re: Port Forwarding Ranges on ASA 5505

Try this:

access-list Range1 permit udp host 192.168.1.239 any range 5060 5069

access-list Range1 permit tcp host 192.168.1.239 any range 32000 32999

static (inside,outside) interface access-list Range1

Seemed to work ok on my test ASA5505. Well the command worked, I didnt pass traffic over it to test that....

New Member

Re: Port Forwarding Ranges on ASA 5505

What license type is on your ASA-5505? I have a base license.

When I entered the static(inside,outside) interface access-list Range1 command I still get the error:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.

WARNING: Users will not be able to access any service enabled on the outside interface.

ERROR: Protocol mismatch between the static and access-list

Thanks.

New Member

Re: Port Forwarding Ranges on ASA 5505

I'm using 7.2.3 Base license.

Make sure you've removed the other old static that you had configured. You can't have 2 of them configured at the same time. You need to just have the one that you're trying to get to work setup.

New Member

Re: Port Forwarding Ranges on ASA 5505

There can be only one static (inside,outside) entry on the ASA 5505 at a time?

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

In all the posts I have ran across while searching how to port forward ranges, the common factor seems to be creating an access-list that permits the traffic and then performing static PAT to perform the translation. Are the access lists that permit the inbound traffic different that the access-lists for the static PAT?

Thanks.

Re: Port Forwarding Ranges on ASA 5505

You can have multiple statics, but you can not have multiple statics pointing to the same internal host.

You can enter the the commands above in 7.x code, but not 8.x code I just tested both versions and I only get the Protocol mismatch error in 8.x code. You might want to open a TAC case and have them help you. We would certainly appreciate it if you could post a working config when done!

Re: Port Forwarding Ranges on ASA 5505

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

Yes this is correct.

New Member

Re: Port Forwarding Ranges on ASA 5505

Collin,

Thanks for you help. I am running the 8.x code, are you stating that only the 7.x code supports the static commands given in the example?

I will open a TAC case and see if I can get some help coming up with a solution.

409
Views
0
Helpful
7
Replies