Grouping static ports in PIX/ASA

ArmstrongInt
ArmstrongInt used Ask the Experts™
on
Hi All

I am trying to clean up my ASA config a little. For example I can specify ranges with access lists.

access-list acl_outside extended permit tcp any host 86.xx.xx.102 range 3230 3235

replaces

access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3230
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3231
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3232
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3233
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3234
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3235

however when trying to do with with my static mappings, it doesn't seem to like it.

replacing
static (inside,outside) tcp 86.xx.xx.102 3230 172.16.12.40 3230 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3231 172.16.12.40 3231 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3232 172.16.12.40 3232 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3233 172.16.12.40 3233 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3234 172.16.12.40 3234 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3235 172.16.12.40 3235 netmask 255.255.255.255

with
static (inside,outside) tcp 86.xx.xx.102 range 3230 3235 172.16.12.40 range 3230 3235 netmask 255.255.255.255 ??

Any ideas ?

Many thanks

Arm
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can't do that.  A static NAT is a one to one relationship ie

this subnet to this subnet
this ip to this ip

you are breaking it down even further (more secure) and saying this ip/port to this ip/port.  Since it is one to one each possible combination in a range of ports has to have its own NAT statement.

Hope this explains it better.

Commented:
use an object group

config t
object-group service Ports
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 323

access-list acl_outside extended permit tcp any host 86.xx.xx.102 object-group Port

Commented:
just do a single nat statement

static (inside,outside) 86.xx.xx.102 3230 172.16.12.40  netmask 255.255.255.255

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
dont define it for tcp the access list will determine what is allowed to that IP
Commented:
static (inside,outside) 86.xx.xx.102  172.16.12.40  netmask 255.255.255.255

Author

Commented:
Thanks I'll give that a go.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial