Link to home
Start Free TrialLog in
Avatar of born2see
born2see

asked on

Port Forwarding ontheCisco ASA 5505

I thought I had the answer for this question but I've run into a problem.  How do I configure this device to allow port forwarding for the following inside hosts including the one range of 10000 20000.  I also want to use a single external ip.  I just need to know how to forward a range and port using PAT in the same configuration.  I can take it from there.Thanks in advance. I'm including the email I received.

PS:  This currently works fine on an inexpensive Linksys router.
The current ports we need forwarded are:
 
80 tcp -> 10.10.10.4  (web server)
65100 tcp/udp -> 10.10.10.2 (act!)
143 tcp -> 10.10.10.4  
1717 to 1723 tcp/udp -> 10.10.10.4 
2401 tcp -> 10.10.10.4 (cvs)
5060 tcp/udp -> 10.10.10.31 (sip for pbx/voip)
4569 udp-> 10.10.10.31 (iax2 for pbx/voip)
1935 tcp -> 10.10.10.17 
10000 to 20000 udp -> 10.10.10.31 (rtp for pbx/voip)
500 tcp/udp -> 10.10.10.4 (ipkey vpn stuff)
8080 tcp -> 10.10.10.4  (alternate http server used by some scripts)
25 tcp -> 10.10.10.4 (smtp)
465 tcp -> 10.10.10.5 (smtps)
993 tcp -> 10.10.10.4 (imaps server)
3389 tcp -> 10.10.10.2 (remote desktop)

Open in new window

Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image
Port forwarding is straight forward enough see my website here http://www.petenetlive.com/Tech/Firewalls/Cisco/portforward.htm

As for a range of Ports Im not sure, you could create a service group and forward that service group.
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image
object-group service group_1 tcp-udp
  port-object range 1717 1723
access-list outside_access_in permit tcp any interface outside object-group group_1

but then you need a static for every port!!!

static (inside,outside) tcp interface 1717 10.10.10.4 1717 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1718 10.10.10.4 1718 netmask 255.255.255.255 0 0

etc

etc




Avatar of born2see
born2see

ASKER

Which is ok for the 1717 1723. The problem I have is for the 10000 20000 range.
ASKER CERTIFIED SOLUTION
Avatar of born2see
born2see
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image
I think you have hit the nail on the head - those are your options without more public IP addresses :(