Link to home
Start Free TrialLog in
Avatar of ArmstrongInt
ArmstrongInt

asked on

Grouping static ports in PIX/ASA

Hi All

I am trying to clean up my ASA config a little. For example I can specify ranges with access lists.

access-list acl_outside extended permit tcp any host 86.xx.xx.102 range 3230 3235

replaces

access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3230
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3231
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3232
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3233
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3234
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3235

however when trying to do with with my static mappings, it doesn't seem to like it.

replacing
static (inside,outside) tcp 86.xx.xx.102 3230 172.16.12.40 3230 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3231 172.16.12.40 3231 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3232 172.16.12.40 3232 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3233 172.16.12.40 3233 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3234 172.16.12.40 3234 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3235 172.16.12.40 3235 netmask 255.255.255.255

with
static (inside,outside) tcp 86.xx.xx.102 range 3230 3235 172.16.12.40 range 3230 3235 netmask 255.255.255.255 ??

Any ideas ?

Many thanks

Arm
Avatar of Grape_Soda
Grape_Soda
Flag of United States of America image

You can't do that.  A static NAT is a one to one relationship ie

this subnet to this subnet
this ip to this ip

you are breaking it down even further (more secure) and saying this ip/port to this ip/port.  Since it is one to one each possible combination in a range of ports has to have its own NAT statement.

Hope this explains it better.
Avatar of oalva
oalva

use an object group

config t
object-group service Ports
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 323

access-list acl_outside extended permit tcp any host 86.xx.xx.102 object-group Port
just do a single nat statement

static (inside,outside) 86.xx.xx.102 3230 172.16.12.40  netmask 255.255.255.255

dont define it for tcp the access list will determine what is allowed to that IP
ASKER CERTIFIED SOLUTION
Avatar of oalva
oalva

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ArmstrongInt

ASKER

Thanks I'll give that a go.