cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
541
Views
0
Helpful
7
Replies

Port Forwarding Ranges on ASA 5505

lusbyr
Beginner
Beginner

Hello,

I am trying to replace a Linksys WRT54G with a ASA 5505.

I am trying to replicate the port forwarding of ranges (UDP/TCP) to specific hosts that is offered by the Linksys product.

I have been searching via Google and this forum for answers to how to solve this issue. I found this post and it looked promising:

-----------------------------------------------

static (inside,outside) interface access-list Range1

static (inside,outside) interface access-list Range2

access-list Range1 permit udp host 192.168.1.239 any range 5060 5069

access-list Range2 permit tcp host 192.168.1.239 any range 32000 32999

-----------------------------------------------

However, my ASA 5505 returns an error when I try this. The error message is as follows:

ERROR: Protocol mismatch between static and access-list.

Has anyone tried to solve this issue before, what does the error message mean and how to I achieve the port forwarding of ranges?

Thanks for your help.

7 REPLIES 7

cmcbride
Beginner
Beginner

Try this:

access-list Range1 permit udp host 192.168.1.239 any range 5060 5069

access-list Range1 permit tcp host 192.168.1.239 any range 32000 32999

static (inside,outside) interface access-list Range1

Seemed to work ok on my test ASA5505. Well the command worked, I didnt pass traffic over it to test that....

What license type is on your ASA-5505? I have a base license.

When I entered the static(inside,outside) interface access-list Range1 command I still get the error:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.

WARNING: Users will not be able to access any service enabled on the outside interface.

ERROR: Protocol mismatch between the static and access-list

Thanks.

I'm using 7.2.3 Base license.

Make sure you've removed the other old static that you had configured. You can't have 2 of them configured at the same time. You need to just have the one that you're trying to get to work setup.

There can be only one static (inside,outside) entry on the ASA 5505 at a time?

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

In all the posts I have ran across while searching how to port forward ranges, the common factor seems to be creating an access-list that permits the traffic and then performing static PAT to perform the translation. Are the access lists that permit the inbound traffic different that the access-lists for the static PAT?

Thanks.

You can have multiple statics, but you can not have multiple statics pointing to the same internal host.

You can enter the the commands above in 7.x code, but not 8.x code I just tested both versions and I only get the Protocol mismatch error in 8.x code. You might want to open a TAC case and have them help you. We would certainly appreciate it if you could post a working config when done!

I have also noticed you can only have one access-group applied to the same interface in the same direction at a time. Is this observation also true?

Yes this is correct.

Collin,

Thanks for you help. I am running the 8.x code, are you stating that only the 7.x code supports the static commands given in the example?

I will open a TAC case and see if I can get some help coming up with a solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: