04-27-2004 01:53 PM - edited 03-09-2019 07:12 AM
I need to forward a port range to a specific IP. I do not want to create a separate static entry for each port.I am using PAT and I need ports 2300-2400 forwarded to 192.168.5.15
I tried writing the command as follows:
static (inside,outside) tcp 24.97.9.10 range 2300-2400 192.168.5.15 range 2300-2400 netmask 255.255.255.255
it gives me an error saying invalid global port range.
04-28-2004 06:56 AM
Try to remove the range keyword that you have in the static. Code that static like this:
static (inside, outside) tcp 24.97.9.10 2300-2400 192.168.5.15 2300-2400 netmask 255.255.255.255
04-28-2004 07:11 AM
it still tells me thats an invalid global port range.
04-28-2004 01:54 PM
Hi !
I think that the appropriate configuration would be somethinhg like this :
1.- First allow the translation
static (inside,outside) ip host 24.97.9.10 host 192.168.5.15 netmask 255.255.255.255
2.- Define an object group service "my_ports"
(config)# object-group service my_ports tcp
(config-service)# port-object range 2300 2400
(config-service)# exit
3.- Filter with an ACL containing your pre defined port range
(config)# access-list 400 permit tcp any object-group my_ports host 24.97.9.10
4.- Apply the changes to your outside interface
(config)# access-group 400 in interface outside
Note : Remember this is an example , use your own , pre defined ACL name , I used "400" arbitrarily , change the ACL name to suit your needs
let me know how it goes .
FEC
04-28-2004 05:18 PM
wouldn't that static statement forward all ports for the 24.97.9.10 wan ip to the 192.168.5.15 host? I know it will only allow things through that are defined by the access-list, but I have email to an exchange server, and OWA, as well as a few other things on this IP that are port forwarded to other machines on the inside.
I just want a confirmation because if this static forwards everything to the .15 host it will knock out a lot of other services. Thanks.
04-29-2004 10:01 AM
That being the case , you are right , I think this is not the way to do it , if you try to configure another port redirection you will get the ERROR: static overlaps.
For the moment I think there is no other way than type 100 static statements .
Unless you can use another IP address for this particular case.
FEC
04-29-2004 11:59 AM
I was afraid you may say that. Hopefully this is something that is going to be addressed in an upcoming pixos release.
100 static entries. this is gonna suck. Do you think there could be adverse affects on firewall performance with such a big static list? I am using a 501.
04-30-2004 07:11 AM
How about trying this:
Recoding the static so that you do not have the '-' symbol and add back the range keyword:
static (inside, outside) tcp 24.97.9.10 range 2300 2400 192.168.5.15 range 2300 2400 netmask 255.255.255.255
If that does not work then we may need to modify Fredirico's first hint but we will code an acl that assumes that the inside 5.15 host will initiate the connection and then code a static that will refer to that acl to do the PAT for the ports.
04-30-2004 08:09 AM
yeah I have tried coding that static that way too.
still says invalid global port range
04-30-2004 08:31 AM
Hello
What version of PIX OS are you using ?
and while you are at the config prompt type "static ?" and see what´s in the command syntaxis.
04-30-2004 08:38 AM
6.3(3)
PIX1(config)# static
Not enough arguments.
Usage: [no] static [(real_ifc, mapped_ifc)]
{
{
[dns] [norandomseq] [
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{
{
{access-list
[dns] [norandomseq] [
PIX1(config)#
04-30-2004 11:42 AM
Well as it is possible to see from the command syntaxis there is no way to use the range option in this command.
According to the command reference for version 6.3 there is no range option for the static command either.
In my humble opinion , unfortunatelly you have two possible solutions either you use another IP or you will have to type 100 static statements.
FEC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide