Solved

Static route with port range

Posted on 2011-03-15
12
824 Views
Last Modified: 2012-05-11
I am trying to create a static map from the outside to the inside with a port range on a Cisco 515e.  I have created and saved the access-list below.  However, the static route continues to receive an error stating Invalid Global Port Range .  I have found some solutions but they are clear as mud. From what i can understand, the pix can not do statics with port ranges.  Any ideas and I remember now why I haven't used Cisco in years.

Here are the commands:
static (inside,outside) tcp XX.XX.182.213 range 6400 8191 XXX.XXX.0.206 range 6400 8191 netmask 255.255.255.255 0 0
0
Comment
Question by:raidertech
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 25 total points
ID: 35142259
Maybe it's just semantics, but I suspect you understand this is not a static route, it's a static NAT statement.

Not sure you can do what you're trying to with a port range.  I've only ever done it with a single port, like translating 80 to 8080, or something similar.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 50 total points
ID: 35142276
I am afraid that isn't going to work for a static. You can only use a port range in access lists. You'll have to create every static separately :-~
Sorry for the bad news.
0
 

Author Comment

by:raidertech
ID: 35142503
that is what i was afraid of and am running into it.  and yes i meant static nat.
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 50 total points
ID: 35142769
Hi there,

You can make a static nat rule and that covers all ports. You can also make a static pat rule, but you have to make one for each port you want to open. Beware of doing this though, as each static pat translation will consume some memory on your PIX... if you have to many it will crash because your memory will fill up. Here's a doc on how to setup PAT rules.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html

These commands also work with PIXes.

Cheers!
0
 

Author Comment

by:raidertech
ID: 35152230
pugglewuggle, thanks for the link and i have read over but was able to locate anything regarding port ranges
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 50 total points
ID: 35152350
so where it says the protocol tcp or udp, after that it says a port... Sometimes it's a word such as smtp or http. When you need to make a port range you have to make a separate static statement for every port. It's not very fun but that's how it works. Access lists allow ranges to be opened in the firewall, but statics must be specified one by one. Again, be carefil to watch your ram if you add large numbers of statics... Hundreds or thousands can fill your memory up and crash the box. I've done that before by accident. Make sure you leave 10-15% free.

Cheers!
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 50 total points
ID: 35152504
What Pugglewuggle is saying is that if you have more than one public address you can use one of them to do a 1-on-1 static. That way the public address is (exclusively) linked to the XXX.XXX.0.206 address (one on one) so you don't have to create a static for every port you want to forward through the static. You then define the ports you want to pass through in your access list, in which you can use port ranges.
But that only works if you have more than one public address available........
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 35157581
... that is indeed what I said... ;-)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35481564
May I propose a split between Pugglewuggle and yours truly?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35714931
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now