Jeff
asked on
asa 5510 9.1(6) Port forwarding
I have an external IP 176.x.x.188 that needs to accept multiple external connections and forward traffic to 192.168.100.9 on a port range 10500 - 10600, having trouble making it work.
So something like:
Object network obj-176.x.x.188
host 176.x.x.188
Object network obj-192.168.100.9
host 192.168.100.9
Object network rng-10500.600
range 10500 10600
nat (inside,outside) source static obj-192.168.100.9
access-list outside_in permit tcp any host obj-176.x.x.188 range rng-10500.600
So something like:
Object network obj-176.x.x.188
host 176.x.x.188
Object network obj-192.168.100.9
host 192.168.100.9
Object network rng-10500.600
range 10500 10600
nat (inside,outside) source static obj-192.168.100.9
access-list outside_in permit tcp any host obj-176.x.x.188 range rng-10500.600
Not sure you can port forward a 'range' ? Unless this is a new feature, you never could in the past?
Yeah you can't add a range to a service object
Petes-ASA(config)# object service Obj-Ports-Range
Petes-ASA(config-service-o bject)# range 1000 2000
^
Petes-ASA(config)# object service Obj-Ports-Range
Petes-ASA(config-service-o
^
And the range in a network object is for IP addresses?
Petes-ASA(config)# object network Obj-Ports-Range
Petes-ASA(config-network-o bject)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
Petes-ASA(config-network-o bject)# ra
Petes-ASA(config-network-o bject)# range 1000 2000
^
ERROR: % Invalid input detected at '^' marker.
Petes-ASA(config-network-o bject)# range ?
network-object mode commands/options:
A.B.C.D Enter start IP address
Petes-ASA(config)# object network Obj-Ports-Range
Petes-ASA(config-network-o
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
Petes-ASA(config-network-o
Petes-ASA(config-network-o
^
ERROR: % Invalid input detected at '^' marker.
Petes-ASA(config-network-o
network-object mode commands/options:
A.B.C.D Enter start IP address
ASKER
I was afraid someone would say that. In my Pix I had to individually put in each line of the forward. Is the format the same in 9.1 as it was in 6.2?
This works but Im struggling with the ACL
!
object service Obj-Ports-Range
service tcp source range 1000 2000
!
!
object service Obj-Ports-Range
service tcp source range 1000 2000
!
Right,
Are you sure you are port forwarding?
whats 176.x.x.188? You port forward off an interface NOT an IP address?
P
Are you sure you are port forwarding?
whats 176.x.x.188? You port forward off an interface NOT an IP address?
P
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I apologize for the lack of response. Issues with a major project at work have been consuming my time.
You mention that 9.0 and 9.1 have a bug that stops the port forward method from working. I am running 9.1(6) so I am guessing that I will need to bust out the port to port connection individually as I did in my PIX?... Here is how I had it configured in my PIX.
There is a server sitting at 192.168.100.9 that is listening on port range 10500 10600.
External address 176.x.x.188 is dedicated to the system.
ip address outside 174.x.x.186 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
nat (inside) 10 192.168.100.0 255.255.255.0 0 0
access-list outside_access_in permit tcp any host 176.x.x.188 range 10500 10600
static (intf2,outside) tcp 176.x.x.188 10510 192.168.100.9 10510 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10511 192.168.100.9 10511 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10512 192.168.100.9 10512 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10513 192.168.100.9 10513 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10514 192.168.100.9 10514 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10515 192.168.100.9 10515 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10516 192.168.100.9 10516 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10517 192.168.100.9 10517 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10518 192.168.100.9 10518 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10519 192.168.100.9 10519 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 174.x.x.185 1
You mention that 9.0 and 9.1 have a bug that stops the port forward method from working. I am running 9.1(6) so I am guessing that I will need to bust out the port to port connection individually as I did in my PIX?... Here is how I had it configured in my PIX.
There is a server sitting at 192.168.100.9 that is listening on port range 10500 10600.
External address 176.x.x.188 is dedicated to the system.
ip address outside 174.x.x.186 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
nat (inside) 10 192.168.100.0 255.255.255.0 0 0
access-list outside_access_in permit tcp any host 176.x.x.188 range 10500 10600
static (intf2,outside) tcp 176.x.x.188 10510 192.168.100.9 10510 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10511 192.168.100.9 10511 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10512 192.168.100.9 10512 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10513 192.168.100.9 10513 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10514 192.168.100.9 10514 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10515 192.168.100.9 10515 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10516 192.168.100.9 10516 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10517 192.168.100.9 10517 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10518 192.168.100.9 10518 netmask 255.255.255.255 0 0
static (intf2,outside) tcp 176.x.x.188 10519 192.168.100.9 10519 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 174.x.x.185 1
ASKER
I was basically hoping to avoid all of the individual static entries.
Can you try if this code will fix your issue
object network obj-192.168.100.9
host 192.168.100.9
!
access-list outside_in permit tcp any host obj-192.168.100.9 range rng-10500.600
!
object network obj-176.x.x.188
host 176.x.x.188
!
Object network rng-10500.600
range 10500 10600
!
nat (outside,inside) source static obj-176.x.x.188 service rng-10500.600