cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
841
Views
1
Helpful
8
Replies

Using Static with port range

a.liotych
Level 1
Level 1

I have situation in which i need use port range with Static.

is it possible???

8 Replies 8

JORGE RODRIGUEZ
Level 10
Level 10

yes it is posible.

Here is an example of port range, accessing and inside host from the outside.

Three steps:

1- Create one-to-one static NAT for inside host

2- Create object group with port range

3- Create access list and apply to ouside interface.

for sake of example 10.10.10.1 is a host on your inside interface, 20.20.20.1 is NATed address for 10.10.10.1 comming from the oustide interface.

1- create static nat

static (inside,outside) 20.20.20.1 10.10.10.1 netmask 255.255.255.255 0 0

2- create object group

example creating TCP port range of 4000 to 4500

object-group service TEST tcp

port-object range 4000 4500

3- create access-list and apply to outside interface.

Example creating access list applying port range , any host ouside accessing 20.20.20.1

access-list outside_access_in permit tcp any host 20.20.20.1 object-group TEST

access-group outside_access_in in interface outside

HTH

Jorge

Jorge Rodriguez

here's an example where you need to translate ports 1024-1030 for example, and 25, 80. Internal host is 192.168.1.1, external address will be 31.1.1.1

access-list 101 permit tcp host 192.168.1.1 range 1024 1030 any

access-list 101 permit tcp host 192.168.1.1 eq 25 any

access-list 101 permit tcp host 192.168.1.1 eq 80 any

static (inside,outside) 31.1.1.1 access-list 101

to translate a different inside host to another port with same external address not previously listed, simply add another acl entry:

access-list 101 permit tcp host 192.168.1.2 eq 443 any

From here, you can add your normal inbound acl's to the external interface permitting access to these ports.

note - you could use object-groups to reduce the size of the acl

Alternatively, you could have used port redirection - aka static PAT. imho the method above scales better, especially since you needed a range of ports translated.. but thats just a personal preference.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

I tried testing my above config on a 7.2(2) pix and it didn't work...looks like you might just have to do static PAT entries for each port number in your range.

so much for my grand ideas.

I've tried to do as you say. I've got an error!!

access-list 101 permit tcp host 192.168.1.1 range 1024 1030 any

static (inside,outside) 31.1.1.1 access-list 101

ERROR: access-list port specifies a range

i tried it too...while it accepted all the commands, it didn't actually work properly.

what version pix are you running?

cisco pix 501

access-list 101 permit tcp host 192.168.1.1 range 1024 1030 any

static (inside,outside) 217.21.54.103 access-list 101

ERROR: access-list port specifies a range

Just create a new access-list with the host and port range you want applied to the outside interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: