asa 5510 9.1(6) Port forwarding

If i remember correctly, the new IOS needs you to add permissive rule for the REAL IP, instead of the NAT'ed one.

Can you try if this code will fix your issue

object network obj-192.168.100.9
host 192.168.100.9
!
access-list outside_in permit tcp any host obj-192.168.100.9 range rng-10500.600
!
object network obj-176.x.x.188
 host 176.x.x.188
!
Object network rng-10500.600
range 10500 10600
!
nat (outside,inside) source static obj-176.x.x.188 service rng-10500.600

Not sure you can port forward a 'range' ? Unless this is a new feature, you never could in the past?

Yeah you can't add a range to a service object

Petes-ASA(config)# object service Obj-Ports-Range
Petes-ASA(config-service-object)# range 1000 2000
                                                                   ^

And the range in a network object is for IP addresses?

Petes-ASA(config)# object network Obj-Ports-Range
Petes-ASA(config-network-object)# ?

  description  Specify description text
  fqdn         Enter this keyword to specify an FQDN
  help         Help for network object configuration commands
  host         Enter this keyword to specify a single host object
  nat          Enable NAT on a singleton object
  no           Remove an object or description from object
  range        Enter this keyword to specify a range
  subnet       Enter this keyword to specify a subnet
Petes-ASA(config-network-object)# ra
Petes-ASA(config-network-object)# range 1000 2000
                                                                      ^
ERROR: % Invalid input detected at '^' marker.
Petes-ASA(config-network-object)# range ?        

network-object mode commands/options:
  A.B.C.D  Enter start IP address

I was afraid someone would say that. In my Pix I had to individually put in each line of the forward. Is the format the same in 9.1 as it was in 6.2?

This works but Im struggling with the ACL

!
object service Obj-Ports-Range
 service tcp source range 1000 2000
!

Right,

Are you sure you are port forwarding?

whats 176.x.x.188? You port forward off an interface NOT an IP address?

P

I apologize for the lack of response. Issues with a major project at work have been consuming my time.

You mention that 9.0 and 9.1 have a bug that stops the port forward method from working. I am running 9.1(6) so I am guessing that I will need to bust out the port to port connection individually as I did in my PIX?... Here is how I had it configured in my PIX.

There is a server sitting at 192.168.100.9 that is listening on port range 10500 10600.
External address 176.x.x.188 is dedicated to the system.

ip address outside 174.x.x.186 255.255.255.248

ip address inside 192.168.100.1 255.255.255.0

nat (inside) 10 192.168.100.0 255.255.255.0 0 0

access-list outside_access_in permit tcp any host 176.x.x.188 range 10500 10600

static (intf2,outside) tcp 176.x.x.188 10510 192.168.100.9 10510 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10511 192.168.100.9 10511 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10512 192.168.100.9 10512 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10513 192.168.100.9 10513 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10514 192.168.100.9 10514 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10515 192.168.100.9 10515 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10516 192.168.100.9 10516 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10517 192.168.100.9 10517 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10518 192.168.100.9 10518 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10519 192.168.100.9 10519 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 174.x.x.185 1

I was basically hoping to avoid all of the individual static entries.