Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
11
Replies

Static Entries on PIX501

khotaling
Level 1
Level 1

‎04-27-2004 01:53 PM - edited ‎03-09-2019 07:12 AM

I need to forward a port range to a specific IP. I do not want to create a separate static entry for each port.I am using PAT and I need ports 2300-2400 forwarded to 192.168.5.15

I tried writing the command as follows:

static (inside,outside) tcp 24.97.9.10 range 2300-2400 192.168.5.15 range 2300-2400 netmask 255.255.255.255

it gives me an error saying invalid global port range.

Labels:
0 Helpful
11 Replies 11

ehirsel
Level 6
Level 6

‎04-28-2004 06:56 AM

Try to remove the range keyword that you have in the static. Code that static like this:

static (inside, outside) tcp 24.97.9.10 2300-2400 192.168.5.15 2300-2400 netmask 255.255.255.255

0 Helpful

khotaling
Level 1
Level 1
In response to ehirsel

‎04-28-2004 07:11 AM

it still tells me thats an invalid global port range.

0 Helpful

federico_caminos
Level 1
Level 1

‎04-28-2004 01:54 PM

Hi !

I think that the appropriate configuration would be somethinhg like this :

1.- First allow the translation

static (inside,outside) ip host 24.97.9.10 host 192.168.5.15 netmask 255.255.255.255

2.- Define an object group service "my_ports"

(config)# object-group service my_ports tcp

(config-service)# port-object range 2300 2400

(config-service)# exit

3.- Filter with an ACL containing your pre defined port range

(config)# access-list 400 permit tcp any object-group my_ports host 24.97.9.10

4.- Apply the changes to your outside interface

(config)# access-group 400 in interface outside

Note : Remember this is an example , use your own , pre defined ACL name , I used "400" arbitrarily , change the ACL name to suit your needs

let me know how it goes .

FEC

0 Helpful

khotaling
Level 1
Level 1
In response to federico_caminos

‎04-28-2004 05:18 PM

wouldn't that static statement forward all ports for the 24.97.9.10 wan ip to the 192.168.5.15 host? I know it will only allow things through that are defined by the access-list, but I have email to an exchange server, and OWA, as well as a few other things on this IP that are port forwarded to other machines on the inside.

I just want a confirmation because if this static forwards everything to the .15 host it will knock out a lot of other services. Thanks.

0 Helpful

federico_caminos
Level 1
Level 1
In response to khotaling

‎04-29-2004 10:01 AM

That being the case , you are right , I think this is not the way to do it , if you try to configure another port redirection you will get the ERROR: static overlaps.

For the moment I think there is no other way than type 100 static statements .

Unless you can use another IP address for this particular case.

FEC

0 Helpful

khotaling
Level 1
Level 1
In response to federico_caminos

‎04-29-2004 11:59 AM

I was afraid you may say that. Hopefully this is something that is going to be addressed in an upcoming pixos release.

100 static entries. this is gonna suck. Do you think there could be adverse affects on firewall performance with such a big static list? I am using a 501.

0 Helpful

ehirsel
Level 6
Level 6
In response to khotaling

‎04-30-2004 07:11 AM

How about trying this:

Recoding the static so that you do not have the '-' symbol and add back the range keyword:

static (inside, outside) tcp 24.97.9.10 range 2300 2400 192.168.5.15 range 2300 2400 netmask 255.255.255.255

If that does not work then we may need to modify Fredirico's first hint but we will code an acl that assumes that the inside 5.15 host will initiate the connection and then code a static that will refer to that acl to do the PAT for the ports.

0 Helpful

khotaling
Level 1
Level 1
In response to ehirsel

‎04-30-2004 08:09 AM

yeah I have tried coding that static that way too.

still says invalid global port range

0 Helpful

federico_caminos
Level 1
Level 1

‎04-30-2004 08:31 AM

Hello

What version of PIX OS are you using ?

and while you are at the config prompt type "static ?" and see what´s in the command syntaxis.

0 Helpful

khotaling
Level 1
Level 1
In response to federico_caminos

‎04-30-2004 08:38 AM

6.3(3)

PIX1(config)# static

Not enough arguments.

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns] [norandomseq] [ []]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns] [norandomseq] [ []]

PIX1(config)#

0 Helpful

federico_caminos
Level 1
Level 1

‎04-30-2004 11:42 AM

Well as it is possible to see from the command syntaxis there is no way to use the range option in this command.

According to the command reference for version 6.3 there is no range option for the static command either.

In my humble opinion , unfortunatelly you have two possible solutions either you use another IP or you will have to type 100 static statements.

FEC

0 Helpful
Customers Also Viewed These Support Documents