ArmstrongInt
asked on
Grouping static ports in PIX/ASA
Hi All
I am trying to clean up my ASA config a little. For example I can specify ranges with access lists.
access-list acl_outside extended permit tcp any host 86.xx.xx.102 range 3230 3235
replaces
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3230
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3231
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3232
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3233
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3234
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3235
however when trying to do with with my static mappings, it doesn't seem to like it.
replacing
static (inside,outside) tcp 86.xx.xx.102 3230 172.16.12.40 3230 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3231 172.16.12.40 3231 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3232 172.16.12.40 3232 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3233 172.16.12.40 3233 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3234 172.16.12.40 3234 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3235 172.16.12.40 3235 netmask 255.255.255.255
with
static (inside,outside) tcp 86.xx.xx.102 range 3230 3235 172.16.12.40 range 3230 3235 netmask 255.255.255.255 ??
Any ideas ?
Many thanks
Arm
I am trying to clean up my ASA config a little. For example I can specify ranges with access lists.
access-list acl_outside extended permit tcp any host 86.xx.xx.102 range 3230 3235
replaces
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3230
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3231
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3232
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3233
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3234
access-list acl_outside extended permit tcp any host 86.xx.xx.102 eq 3235
however when trying to do with with my static mappings, it doesn't seem to like it.
replacing
static (inside,outside) tcp 86.xx.xx.102 3230 172.16.12.40 3230 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3231 172.16.12.40 3231 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3232 172.16.12.40 3232 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3233 172.16.12.40 3233 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3234 172.16.12.40 3234 netmask 255.255.255.255
static (inside,outside) tcp 86.xx.xx.102 3235 172.16.12.40 3235 netmask 255.255.255.255
with
static (inside,outside) tcp 86.xx.xx.102 range 3230 3235 172.16.12.40 range 3230 3235 netmask 255.255.255.255 ??
Any ideas ?
Many thanks
Arm
use an object group
config t
object-group service Ports
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 323
access-list acl_outside extended permit tcp any host 86.xx.xx.102 object-group Port
config t
object-group service Ports
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 323
access-list acl_outside extended permit tcp any host 86.xx.xx.102 object-group Port
just do a single nat statement
static (inside,outside) 86.xx.xx.102 3230 172.16.12.40 netmask 255.255.255.255
static (inside,outside) 86.xx.xx.102 3230 172.16.12.40 netmask 255.255.255.255
dont define it for tcp the access list will determine what is allowed to that IP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks I'll give that a go.
this subnet to this subnet
this ip to this ip
you are breaking it down even further (more secure) and saying this ip/port to this ip/port. Since it is one to one each possible combination in a range of ports has to have its own NAT statement.
Hope this explains it better.