11-08-2004 06:41 AM - edited 02-20-2020 11:44 PM
I had to set up my PIX for port redirection using static commands. I have it working, but had a question on whether port ranges can be configured for this. I have the ACL defined to allow the 120 ports in the outside interface. I tried to find a similar way to do that with the static command, but I found myself having to enter 120 separate lines of code. Is there a way to range it?
11-08-2004 09:50 AM
As an intelligent guess, it might be possible to object group those ports (which lets you specify a range) and then reference this object group in your access list in the static command (Policy NAT).
See link below for use of access list in static commands (Policy NAT)
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
Cheers
11-08-2004 11:05 AM
The following example include tcp port range 1415-1435.
access-list acl_inbound permit tcp src_ip src_mask dest_ip dest_mask range 1415 1435
11-08-2004 01:37 PM
I have the access-list defined, but I'm having a bit of trouble with the command syntax to call it in my static NAT.
11-08-2004 03:18 PM
If would be helpful if you can paste your access-list here. Please substitute your ip addresses to protect your identity.
11-08-2004 05:42 PM
I have not seen any way to do the same thing as it is possible in an access-list for a STATIC.
So if you have 150 ports to redirect you need to create 150 statics.
See static syntax:
pix(config)# static
Not enough arguments.
Usage: [no] static [(real_ifc, mapped_ifc)]
{
{
[dns] [norandomseq] [
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{
{
{access-list
[dns] [norandomseq] [
Does anyone have another ides about that ?
sincerely
Patrick
11-09-2004 04:56 AM
Patrick,
This is what I was afraid of. Any way, my 120 or so entries work fine, but this is only for one application!!! Other company's products allow for a range of ports to be redirected. I wonder why Cisco doesn't have this feature yet - maybe the next software release will have it.....
11-09-2004 05:25 AM
To be honest, I have seen more than my fair share of PIX configs and I have never seen anyone port redirecting on a static with more that 4 or 5 ports. So, to see you needing 120 or so ports redirected is a surprise. As Patrick pointed out, there is no way to do a mass port redirection. I would guess the reason for this is because no one asked. I don't think it would be a major chore to add something like this into the PIX code so I would suggest talking to your local Cisco account team and asking them to raise an enhancement request on your behalf.
On a side note, if you need 120 ports redirected to a single host, it might be time to break down and buy another global address ;)
(admittedly, not knowing any of the details)
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide