Re: PIX - Port redirection for many ports

adam.wilkins · ‎11-08-2004

I had to set up my PIX for port redirection using static commands. I have it working, but had a question on whether port ranges can be configured for this. I have the ACL defined to allow the 120 ports in the outside interface. I tried to find a similar way to do that with the static command, but I found myself having to enter 120 separate lines of code. Is there a way to range it?

laje · ‎11-08-2004

As an intelligent guess, it might be possible to object group those ports (which lets you specify a range) and then reference this object group in your access list in the static command (Policy NAT).

See link below for use of access list in static commands (Policy NAT)

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Cheers

wsitu · ‎11-08-2004

The following example include tcp port range 1415-1435.

access-list acl_inbound permit tcp src_ip src_mask dest_ip dest_mask range 1415 1435

adam.wilkins · ‎11-08-2004

I have the access-list defined, but I'm having a bit of trouble with the command syntax to call it in my static NAT.

wsitu · ‎11-08-2004

If would be helpful if you can paste your access-list here. Please substitute your ip addresses to protect your identity.

Patrick Iseli · ‎11-08-2004

I have not seen any way to do the same thing as it is possible in an access-list for a STATIC.

So if you have 150 ports to redirect you need to create 150 statics.

See static syntax:

pix(config)# static

Not enough arguments.

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

Does anyone have another ides about that ?

sincerely

Patrick

adam.wilkins · ‎11-09-2004

Patrick,

This is what I was afraid of. Any way, my 120 or so entries work fine, but this is only for one application!!! Other company's products allow for a range of ports to be redirected. I wonder why Cisco doesn't have this feature yet - maybe the next software release will have it.....

scoclayton · ‎11-09-2004

To be honest, I have seen more than my fair share of PIX configs and I have never seen anyone port redirecting on a static with more that 4 or 5 ports. So, to see you needing 120 or so ports redirected is a surprise. As Patrick pointed out, there is no way to do a mass port redirection. I would guess the reason for this is because no one asked. I don't think it would be a major chore to add something like this into the PIX code so I would suggest talking to your local Cisco account team and asking them to raise an enhancement request on your behalf.

On a side note, if you need 120 ports redirected to a single host, it might be time to break down and buy another global address ;)

(admittedly, not knowing any of the details)

Scott