born2see
asked on
Port Forwarding ontheCisco ASA 5505
I thought I had the answer for this question but I've run into a problem. How do I configure this device to allow port forwarding for the following inside hosts including the one range of 10000 20000. I also want to use a single external ip. I just need to know how to forward a range and port using PAT in the same configuration. I can take it from there.Thanks in advance. I'm including the email I received.
PS: This currently works fine on an inexpensive Linksys router.
PS: This currently works fine on an inexpensive Linksys router.
The current ports we need forwarded are:
80 tcp -> 10.10.10.4 (web server)
65100 tcp/udp -> 10.10.10.2 (act!)
143 tcp -> 10.10.10.4
1717 to 1723 tcp/udp -> 10.10.10.4
2401 tcp -> 10.10.10.4 (cvs)
5060 tcp/udp -> 10.10.10.31 (sip for pbx/voip)
4569 udp-> 10.10.10.31 (iax2 for pbx/voip)
1935 tcp -> 10.10.10.17
10000 to 20000 udp -> 10.10.10.31 (rtp for pbx/voip)
500 tcp/udp -> 10.10.10.4 (ipkey vpn stuff)
8080 tcp -> 10.10.10.4 (alternate http server used by some scripts)
25 tcp -> 10.10.10.4 (smtp)
465 tcp -> 10.10.10.5 (smtps)
993 tcp -> 10.10.10.4 (imaps server)
3389 tcp -> 10.10.10.2 (remote desktop)
object-group service group_1 tcp-udp
port-object range 1717 1723
access-list outside_access_in permit tcp any interface outside object-group group_1
but then you need a static for every port!!!
static (inside,outside) tcp interface 1717 10.10.10.4 1717 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1718 10.10.10.4 1718 netmask 255.255.255.255 0 0
etc
etc
port-object range 1717 1723
access-list outside_access_in permit tcp any interface outside object-group group_1
but then you need a static for every port!!!
static (inside,outside) tcp interface 1717 10.10.10.4 1717 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1718 10.10.10.4 1718 netmask 255.255.255.255 0 0
etc
etc
ASKER
Which is ok for the 1717 1723. The problem I have is for the 10000 20000 range.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think you have hit the nail on the head - those are your options without more public IP addresses :(
Old Link above see http://www.petenetlive.com/KB/Article/0000077.htm
As for a range of Ports Im not sure, you could create a service group and forward that service group.