cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
532
Views
0
Helpful
6
Replies

Port forward a range on a PIX520

deanwesthead
Level 1
Level 1

I am tring to forward 2 ranges of ports from my outside interface ip to a host on the inside interface. The outside interface is natted so that all inside hosts use it's single IP for general use.

I have 2 ranges, 5096 - 5099 and 17300 - 17440 to forward to one host. I can create a service group object with the ranges in it but I can't seem to find the right syntax or menthod to use it in the access-list and static command.

Thanks for any help.

6 Replies 6

adeelasher
Level 1
Level 1

what IOS version you are running ?

Use following syntax :

access-list TEST permit tcp host x.x.x.x eq range 5096 5099 host y.y.y.y eq range 5096 5099

access-list TEST permit tcp host x.x.x.x eq range 17300 17440 host y.y.y.y eq range 17300 17440

Hi, Just tried that and it doesn't like the "range" option.

I have tried :

access-list test permit udp x.x.x.x eq range 5096 5099 host x.x.x.x eq range 5096 5099

It just reports an error of " Invalid Port Range"

The PDM says it's PIX version 6.3(5) and PDM Version 3.0(4). I think thats the latest one for the PIX520 as V7 is not supported on it.

try this :

access-list TEST permit tcp any host x.x.x.x eq 50960-5099

access-list TEST permit tcp any host x.x.x.x eq 17300-17440

** Where x.x.x.x is the real IP of the inside host.

You will also have to have Static commands like this :

static (inside, outside) tcp interface 5096 x.x.x.x 5096 netmask 255.255.255.255

static (inside, outside) tcp interface 5097 x.x.x.x 5097 netmask 255.255.255.255

static (inside, outside) tcp interface 5098 x.x.x.x 5098 netmask 255.255.255.255

static (inside, outside) tcp interface 5099 x.x.x.x 5099 netmask 255.255.255.255

then apply this access-list on the outside interface of PIX :

access-group TEST in interface outside

** Static command does not have any format to apply the ports as a range. It has to be done individually for all the ports in the range.

Read the first line in my earlier post as :

access-list TEST permit tcp any host x.x.x.x eq 5096-5099

Sorry for the typo.

Review Cisco Networking for a $25 gift card