Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.
Static route with port range
I am trying to create a static map from the outside to the inside with a port range on a Cisco 515e. I have created and saved the access-list below. However, the static route continues to receive an error stating Invalid Global Port Range . I have found some solutions but they are clear as mud. From what i can understand, the pix can not do statics with port ranges. Any ideas and I remember now why I haven't used Cisco in years.
Here are the commands:
static (inside,outside) tcp XX.XX.182.213 range 6400 8191 XXX.XXX.0.206 range 6400 8191 netmask 255.255.255.255 0 0
Here are the commands:
static (inside,outside) tcp XX.XX.182.213 range 6400 8191 XXX.XXX.0.206 range 6400 8191 netmask 255.255.255.255 0 0
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
I am afraid that isn't going to work for a static. You can only use a port range in access lists. You'll have to create every static separately :-~
Sorry for the bad news.
Sorry for the bad news.
Hi there,
You can make a static nat rule and that covers all ports. You can also make a static pat rule, but you have to make one for each port you want to open. Beware of doing this though, as each static pat translation will consume some memory on your PIX... if you have to many it will crash because your memory will fill up. Here's a doc on how to setup PAT rules.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html
These commands also work with PIXes.
Cheers!
You can make a static nat rule and that covers all ports. You can also make a static pat rule, but you have to make one for each port you want to open. Beware of doing this though, as each static pat translation will consume some memory on your PIX... if you have to many it will crash because your memory will fill up. Here's a doc on how to setup PAT rules.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html
These commands also work with PIXes.
Cheers!
pugglewuggle, thanks for the link and i have read over but was able to locate anything regarding port ranges
so where it says the protocol tcp or udp, after that it says a port... Sometimes it's a word such as smtp or http. When you need to make a port range you have to make a separate static statement for every port. It's not very fun but that's how it works. Access lists allow ranges to be opened in the firewall, but statics must be specified one by one. Again, be carefil to watch your ram if you add large numbers of statics... Hundreds or thousands can fill your memory up and crash the box. I've done that before by accident. Make sure you leave 10-15% free.
Cheers!
Cheers!
What Pugglewuggle is saying is that if you have more than one public address you can use one of them to do a 1-on-1 static. That way the public address is (exclusively) linked to the XXX.XXX.0.206 address (one on one) so you don't have to create a static for every port you want to forward through the static. You then define the ports you want to pass through in your access list, in which you can use port ranges.
But that only works if you have more than one public address available........
But that only works if you have more than one public address available........
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Word 2013 Part … 120 lessons
-
IT AdministrationCertification: ISCAP Information Systems Certification and Accreditati… 16 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Not sure you can do what you're trying to with a port range. I've only ever done it with a single port, like translating 80 to 8080, or something similar.