Re: pix 6.3.5 forwarding a range of ports to internal IP

gordinho01 · ‎01-09-2007

I have a pix with one static outside IP address and have been asked to forward a whole bunch of UDP and TCP to an internal (natted) IP address. I have done static mappings before but for only single port numbers.

Below is the range of ports to forward

qsig 4029 tcp

qsig1 6400-8191 tcp

ras 1718-1719 udp(already in fixup)

rtp/rtcp 1500-1503 udp

megaco+ 2944 tcp

rtp/rtcp1 16384-16511udp

rtp/rtp2 20480-24575udp

presumably I have to define these ranges in access lists but is there a way of defining the static mapping to a name or "port object" group rather than write out the mappings line at a time for each port number?

cheers in advance

G

jim · ‎01-09-2007

sure you can use a port object name for each static entry

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10

gordinho01 · ‎01-09-2007

Thanks for the link. After doing a bit of research (bit new to port object grouping) I have created the following group objects

object-group service qsig1_tcp tcp

port-object range 6400 8191

object-group service rtp_udp udp

port-object range 1500 1503

object-group service rtp1_udp udp

port-object range 16384 16511

object-group service rtp2_udp udp

port-object range 20992 24575

object-group service rtp3_udp udp

port-object range 20480 20991

now I've added the following access list lines

access-list internet permit tcp any host object-group qsig1_tcp

access-list internet permit udp any host object-group rtp_udp

access-list internet permit udp any host object-group rtp1_udp

access-list internet permit udp any host object-group rtp2_udp

access-list internet permit udp any host object-group rtp3_udp

but now I'm stuck with respect to mapping the object-group to the natted LAN IP

any ideas?

jim · ‎01-09-2007

static (inside,outside) tcp 1.1.1.1 640 access-list (name)

gordinho01 · ‎01-09-2007

Thanks for replying. I am unsure as to the implication of adding that line.

"static (inside,outside) tcp 1.1.1.1 640 access-list (name)"

the pix in question already has a bunch of static mappings to other internal/natted IP's and the access list "internet" also covers these out to in permits.

----

static (inside,outside) tcp interface ftp-data 192.168.2.253 ftp-data netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.2.253 ftp netmask 255.255.255.255 0 0

static (inside,outside) udp interface snmp 192.168.2.253 snmp netmask 255.255.255.255 0 0

static (inside,outside) udp interface snmptrap 192.168.2.253 snmptrap netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 2944 192.168.2.251 2944 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 4029 192.168.2.251 4029 netmask 255.255.255.255 0 0

--------

jim · ‎01-09-2007

This would allow you to apply the objects in the access-list to the static map.

gordinho01 · ‎01-12-2007

thanks for taking time to look at this. The client gave me a second external IP I could define on the pix in a static + access list so I just forwarded all those object groups...bit of a cop out I know...thanks anyway

G

akalender · ‎02-15-2007

I am having the same issue. How did you link static map to access list and group objects?

Thanks!