Solved: Portmapping all traffic into port range

mareks-vader · ‎10-24-2013

Hello,

I´m trying to remake this BSD:

map ep0 172.16.0.0/16 -> 216.68.250.60/32 portmap tcp/udp 10000:20000

line says go ahead and map all tcp/udp traffic right on through the interface and assign each out bound "connection" a port from 10000 to 20000

in Cisco PIX configuration. Can someone please tell me how? I´m looking to documentation and still do not have a clue.

Thank you very much,

Marek

jumora · ‎10-25-2013

First of all, what version are you running on the PIX, second, I not sure who gave you the instruction but its a really strange description and you might want to go back to them and tell them I understand English not bla,bla,bla, map ep0 172.16.0.0/16 -> 216.68.250.60/32 portmap tcp/udp 10000:20000.

Julio is right, if you are obligated to translate your 172.16.0.0/24 to 216.68.250.60 when you are destine to anyone on the Internet then the configuration he last sent you is correct.

access-list In_Out permit tcp 172.16.0.0 255.255.0.0 any range 10000 20000

access-list In_Out permit udp 172.16.0.0 255.255.255.0 any range 10000 20000

nat (inside) 1 access-list In_Out

global (outside) 1 216.68.250.60

FYI: This is a configuration example, if you believe that this could affect your production firewall please send us the configuration or just make sure that you don't already have a "nat (inside) 1" by doing a "show run nat" or "show nat" depending on the version.

Details are what make the difference from us giving you the correct answer because if what I stated before this line is not true then we are giving you the incorrect answer.

Please recap with the people that sent you this request.

FYI: Learning takes time so I believe that it is great that you have questions and we are here to help you!!!

Value our effort and rate the assistance!

View solution in original post

Julio Carvajal · ‎10-24-2013

Hello Marek,

access-list In_Out permit tcp 172.16.0.0 255.255.0.0 any

access-list In_Out permit udp 172.16.0.0 255.255.255.0 any

nat (inside) 1 access-list In_Out

global (outside) 1 216.68.250.60

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mareks-vader · ‎10-24-2013

Hello Julio,

but where is that port range in your commands?

Thank you,

Marek

Jouni Forss · ‎10-24-2013

Hi,

There is no port range in the above configuration. You said you use PIX which leads me to believe that you are not able to even achieve this. I mean choose the mapped port range with which the hosts will be visible to the external network.

The newer software (which is not supported on PIX) has some possibilities but no clean way to achieve this to my understanding. I think there has been some mention of an Enhancement Request which asks to include an option to choose the port range used for a Dynamic PAT translation.

- Jouni

mareks-vader · ‎10-24-2013

Hi Jouni,

maybe I don´t understand the original, for me it´s like: "Take all ports from inside network and remap it to ports 10000-20000 on the outside interface."

Thanks,

MArek

Julio Carvajal · ‎10-25-2013

Hello Marek,

access-list In_Out permit tcp 172.16.0.0 255.255.0.0 any range 10000 20000

access-list In_Out permit udp 172.16.0.0 255.255.255.0 any range 10000 -20000

nat (inside) 1 access-list In_Out

global (outside) 1 216.68.250.60

I mean that is the configuration if the inside devices are the ones inittiating the connection,

If that is not what you are looking for then explain yourself

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jumora · ‎10-25-2013

First of all, what version are you running on the PIX, second, I not sure who gave you the instruction but its a really strange description and you might want to go back to them and tell them I understand English not bla,bla,bla, map ep0 172.16.0.0/16 -> 216.68.250.60/32 portmap tcp/udp 10000:20000.

Julio is right, if you are obligated to translate your 172.16.0.0/24 to 216.68.250.60 when you are destine to anyone on the Internet then the configuration he last sent you is correct.

access-list In_Out permit tcp 172.16.0.0 255.255.0.0 any range 10000 20000

access-list In_Out permit udp 172.16.0.0 255.255.255.0 any range 10000 20000

nat (inside) 1 access-list In_Out

global (outside) 1 216.68.250.60

FYI: This is a configuration example, if you believe that this could affect your production firewall please send us the configuration or just make sure that you don't already have a "nat (inside) 1" by doing a "show run nat" or "show nat" depending on the version.

Details are what make the difference from us giving you the correct answer because if what I stated before this line is not true then we are giving you the incorrect answer.

Please recap with the people that sent you this request.

FYI: Learning takes time so I believe that it is great that you have questions and we are here to help you!!!

Value our effort and rate the assistance!

jumora · ‎10-31-2013

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!

mareks-vader · ‎11-01-2013

I´m sorry I´ve been on vacation. Thank you very much, now it is solved.