https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492266#M661964 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>As long as you are assigning public IP to every host that needs the port to be opened, then you can use the following statement:</P><P></P><P><BR />access-list <OUTSIDE access-list="" name=""> permit tcp any host <PUBLIC ip=""> range 28300 28400</PUBLIC></OUTSIDE></P><P>access-list <OUTSIDE access-list="" name=""> permit tcp any host <PUBLIC ip=""> range 28600 28700</PUBLIC></OUTSIDE></P><P></P><P>You need to repeat the above lines for every host.If every inside device has a corresponding public IP and you want it to be open for everybody, then replace the "host public IP" by "any".</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Fri, 09 Jul 2010 03:31:43 GMT Nagaraja Thanthry 2010-07-09T03:31:43Z https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492263#M661941 <P></P><P>For an ASA 5505 and I need to open up a range of ports from 28300 - 28400 and 28600 - 28700, all for access from the outside interface to any machine on the inside interface. Can anyone help out with this?</P><P></P><P></P><P># sh running-config </P><P>: Saved&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>ASA Version 7.2(4) </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>hostname ciscoasa </P><P>enable password 8HgaP2T2asdbjsx1GBdq encrypted </P><P>passwd Ku287h/3Z9f25tj6 encrypted&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>names&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!&nbsp;&nbsp;&nbsp; </P><P>interface Vlan1 </P><P> nameif inside </P><P> security-level 100 </P><P> ip address 192.168.1.1 255.255.255.0 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Vlan2 </P><P> nameif outside </P><P> security-level 0 </P><P> ip address dhcp setroute </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/0 </P><P> switchport access vlan 2 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/1 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/2 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/3 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/4 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/5 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/6 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/7 </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>ftp mode passive </P><P>pager lines 24&nbsp; </P><P>logging asdm informational </P><P>mtu inside 1500&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>mtu outside 1500 </P><P>icmp unreachable rate-limit 1 burst-size 1 </P><P>no asdm history enable&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>arp timeout 14400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>global (outside) 1 interface </P><P>nat (inside) 1 0.0.0.0 0.0.0.0 </P><P>timeout xlate 3:00:00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 </P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 </P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 </P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>http server enable&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>http 192.168.1.0 255.255.255.0 inside </P><P>no snmp-server location&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>no snmp-server contact </P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart </P><P>telnet timeout 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>ssh scopy enable </P><P>ssh 192.168.1.0 255.255.255.0 inside </P><P>ssh timeout 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>console timeout 0 </P><P>dhcpd auto_config outside </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>dhcpd address 192.168.1.2-192.168.1.254 inside </P><P>dhcpd enable inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>! </P><P>class-map inspection_default </P><P> match default-inspection-traffic </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>! </P><P>policy-map type inspect dns preset_dns_map </P><P> parameters&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp; message-length maximum 512 </P><P>policy-map global_policy&nbsp;&nbsp;&nbsp; </P><P> class inspection_default </P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras&nbsp; </P><P>&nbsp; inspect rsh&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp&nbsp; </P><P>&nbsp; inspect sip&nbsp;&nbsp;&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp&nbsp;&nbsp;&nbsp; </P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>service-policy global_policy global </P><P>prompt hostname context&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Cryptochecksum:9977cf711682d26e5ca49800ac4e94c0 </P><P>: end&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P> Mon, 11 Mar 2019 18:09:07 GMT https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492263#M661941 gary.grobe 2019-03-11T18:09:07Z https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492264#M661947 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Are you doing it for a specific application? I see from your configuration that you are using dynamic PAT. So, there is no point in opening those ports as they will not be mapped to any device. I would suggest you using inspects for opening those ports dynamically (as long as it is one of the standard applications supported by the firewall).</P><P></P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Fri, 09 Jul 2010 03:04:44 GMT https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492264#M661947 Nagaraja Thanthry 2010-07-09T03:04:44Z https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492265#M661953 <HTML><HEAD></HEAD><BODY><P>Yeah, it's specific for a Matlab application. I will soon add a static IP to the outside interface. It's basically a default config right now.</P></BODY></HTML> Fri, 09 Jul 2010 03:11:04 GMT https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492265#M661953 gary.grobe 2010-07-09T03:11:04Z https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492266#M661964 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>As long as you are assigning public IP to every host that needs the port to be opened, then you can use the following statement:</P><P></P><P><BR />access-list <OUTSIDE access-list="" name=""> permit tcp any host <PUBLIC ip=""> range 28300 28400</PUBLIC></OUTSIDE></P><P>access-list <OUTSIDE access-list="" name=""> permit tcp any host <PUBLIC ip=""> range 28600 28700</PUBLIC></OUTSIDE></P><P></P><P>You need to repeat the above lines for every host.If every inside device has a corresponding public IP and you want it to be open for everybody, then replace the "host public IP" by "any".</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Fri, 09 Jul 2010 03:31:43 GMT https://community.cisco.com/t5/network-security/port-range-from-outside-to-inside/m-p/1492266#M661964 Nagaraja Thanthry 2010-07-09T03:31:43Z