topic Re: Port Forwarding Ranges on ASA 5505 in Network Security

Port Forwarding Ranges on ASA 5505

lusbyr — Mon, 11 Mar 2019 16:22:05 GMT

Hello,

I am trying to replace a Linksys WRT54G with a ASA 5505.

I am trying to replicate the port forwarding of ranges (UDP/TCP) to specific hosts that is offered by the Linksys product.

I have been searching via Google and this forum for answers to how to solve this issue. I found this post and it looked promising:

-----------------------------------------------

static (inside,outside) interface access-list Range1

static (inside,outside) interface access-list Range2

access-list Range1 permit udp host 192.168.1.239 any range 5060 5069

access-list Range2 permit tcp host 192.168.1.239 any range 32000 32999

-----------------------------------------------

However, my ASA 5505 returns an error when I try this. The error message is as follows:

ERROR: Protocol mismatch between static and access-list.

Has anyone tried to solve this issue before, what does the error message mean and how to I achieve the port forwarding of ranges?

Thanks for your help.

Re: Port Forwarding Ranges on ASA 5505

cmcbride — Thu, 01 Oct 2009 22:31:30 GMT

Try this:

access-list Range1 permit udp host 192.168.1.239 any range 5060 5069

access-list Range1 permit tcp host 192.168.1.239 any range 32000 32999

static (inside,outside) interface access-list Range1

Seemed to work ok on my test ASA5505. Well the command worked, I didnt pass traffic over it to test that....

Re: Port Forwarding Ranges on ASA 5505

lusbyr — Thu, 01 Oct 2009 22:54:30 GMT

What license type is on your ASA-5505? I have a base license.

When I entered the static(inside,outside) interface access-list Range1 command I still get the error:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.

WARNING: Users will not be able to access any service enabled on the outside interface.

ERROR: Protocol mismatch between the static and access-list

Thanks.

Re: Port Forwarding Ranges on ASA 5505

cmcbride — Fri, 02 Oct 2009 03:57:14 GMT

I'm using 7.2.3 Base license.

Make sure you've removed the other old static that you had configured. You can't have 2 of them configured at the same time. You need to just have the one that you're trying to get to work setup.

Re: Port Forwarding Ranges on ASA 5505

lusbyr — Fri, 02 Oct 2009 15:39:46 GMT

There can be only one static (inside,outside) entry on the ASA 5505 at a time?

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

In all the posts I have ran across while searching how to port forward ranges, the common factor seems to be creating an access-list that permits the traffic and then performing static PAT to perform the translation. Are the access lists that permit the inbound traffic different that the access-lists for the static PAT?

Thanks.

Re: Port Forwarding Ranges on ASA 5505

Collin Clark — Fri, 02 Oct 2009 19:48:07 GMT

You can have multiple statics, but you can not have multiple statics pointing to the same internal host.

You can enter the the commands above in 7.x code, but not 8.x code I just tested both versions and I only get the Protocol mismatch error in 8.x code. You might want to open a TAC case and have them help you. We would certainly appreciate it if you could post a working config when done!

Re: Port Forwarding Ranges on ASA 5505

Collin Clark — Fri, 02 Oct 2009 20:07:37 GMT

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

Yes this is correct.

Re: Port Forwarding Ranges on ASA 5505

lusbyr — Fri, 02 Oct 2009 20:12:00 GMT

Collin,

Thanks for you help. I am running the 8.x code, are you stating that only the 7.x code supports the static commands given in the example?

I will open a TAC case and see if I can get some help coming up with a solution.