Announcement

Collapse
No announcement yet.

Portforward range

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Portforward range

    Hi, im having problem that i cant/dont know how portforward a range of ports.
    i can portforward single port with no problem but now i want to forward
    16000-16100 tcp and udp to a single inside adress.
    any help would be nice.
    Thanks Ekke

  • #2
    Re: Portforward range

    Here is an example I am doing on my ASA.

    Code:
    static (DMZ,outside) 222.222.222.222 192.168.1.100 netmask 255.255.255.255
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any host 222.222.222.222
    object-group service DM_INLINE_SERVICE_5
     service-object tcp range 62000 62003 
     service-object tcp eq h323 
     service-object udp range 62000 62009
    access-group outside_access_in in interface outside
    CCNA, Network+

    Comment


    • #3
      Re: Portforward range

      hi and thanks for the info, after my post i found a similar thred and have done the same as you suggested, but have now found that that setting some how messed things upp.
      the vpn stoped working and i got this message when adding the last line.
      this is my lines:
      object-group service AllowSip_TCP tcp
      port-object range 16000 16100
      port-object eq sip
      object-group service AllowSip_UDP udp
      port-object range 16000 16100
      port-object eq sip
      access-list Outside_access_in extended permit tcp any host *.*.*.* eq 35300
      access-list Outside_access_in extended permit tcp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_TCP
      access-list Outside_access_in extended permit udp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_UDP
      static (inside,outside) interface 192.168.60.50 netmask 255.255.255.255
      access-group Outside_access_in in interface outside

      I get this error:

      Result of the command: "static (inside,outside) interface 192.168.60.50 netmask 255.255.255.255"
      WARNING: All traffic destined to the IP address of the outside interface is being redirected.
      WARNING: Users will not be able to access any service enabled on the outside interface.
      WARNING: mapped-address conflict with existing static
      TCP inside:192.168.60.1/25 to outside:*.*.*.*/25 netmask 255.255.255.255
      WARNING: mapped-address conflict with existing static
      TCP inside:192.168.60.1/443 to outside:*.*.*.*/443 netmask 255.255.255.255

      any ideas?

      Comment


      • #4
        Re: Portforward range

        Originally posted by A Techman View Post
        hi and thanks for the info, after my post i found a similar thred and have done the same as you suggested, but have now found that that setting some how messed things upp.
        the vpn stoped working and i got this message when adding the last line.
        this is my lines:
        object-group service AllowSip_TCP tcp
        port-object range 16000 16100
        port-object eq sip
        object-group service AllowSip_UDP udp
        port-object range 16000 16100
        port-object eq sip
        access-list Outside_access_in extended permit tcp any host *.*.*.* eq 35300
        access-list Outside_access_in extended permit tcp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_TCP
        access-list Outside_access_in extended permit udp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_UDP
        static (inside,outside) interface 192.168.60.50 netmask 255.255.255.255
        access-group Outside_access_in in interface outside

        I get this error:

        Result of the command: "static (inside,outside) interface 192.168.60.50 netmask 255.255.255.255"
        WARNING: All traffic destined to the IP address of the outside interface is being redirected.
        WARNING: Users will not be able to access any service enabled on the outside interface.
        WARNING: mapped-address conflict with existing static
        TCP inside:192.168.60.1/25 to outside:*.*.*.*/25 netmask 255.255.255.255
        WARNING: mapped-address conflict with existing static
        TCP inside:192.168.60.1/443 to outside:*.*.*.*/443 netmask 255.255.255.255

        any ideas?
        Remove this:
        Code:
        static (inside,outside) interface 192.168.60.50 netmask 255.255.255.255
        You are static-ing the outside interface to the inside ip of 192.168.60.50, which means only that ip address will be allowed through the firewall.

        Do you have only one public ip address? Can you post a sanitized config?
        CCNA, Network+

        Comment


        • #5
          Re: Portforward range

          Hi.
          this is how the working config looks today with exeption for the port forward range.
          i dont know if we have access to more external ips so i would preffer to get it working this way.

          //:Ekke

          : Saved
          :
          ASA Version 8.0(4)
          !
          hostname ASA-******
          domain-name *******.local
          enable password alpAW2tEmckQnbKO encrypted
          passwd 2KFQnbNIdI.2KYOU encrypted
          names
          name 80.83.208.0 telavox
          !
          interface Vlan1
          nameif inside
          security-level 100
          ip address 192.168.60.253 255.255.255.0
          !
          interface Vlan2
          nameif outside
          security-level 0
          ip address *.*.*.* 255.255.255.248
          !
          interface Ethernet0/0
          switchport access vlan 2
          !
          interface Ethernet0/1
          !
          interface Ethernet0/2
          !
          interface Ethernet0/3
          !
          interface Ethernet0/4
          !
          interface Ethernet0/5
          !
          interface Ethernet0/6
          !
          interface Ethernet0/7
          !
          boot system disk0:/asa804-k8.bin
          ftp mode passive
          clock timezone CEST 1
          clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
          dns server-group DefaultDNS
          domain-name ******.local
          object-group service AllowSip_TCP tcp
          port-object range 16000 16100
          port-object eq sip
          object-group service AllowSip_UDP udp
          port-object range 16000 16100
          port-object eq sip
          access-list Outside_access_in extended permit icmp any any echo-reply
          access-list Outside_access_in extended permit icmp any any source-quench
          access-list Outside_access_in extended permit icmp any any unreachable
          access-list Outside_access_in extended permit icmp any any time-exceeded
          access-list Outside_access_in extended permit tcp any host *.*.*.* eq smtp
          access-list Outside_access_in extended permit tcp any host *.*.*.* eq https
          access-list Outside_access_in extended permit tcp any host *.*.*.* eq 35300
          access-list Outside_access_in extended permit tcp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_TCP
          access-list Outside_access_in extended permit udp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_UDP
          access-list Split_Tunnel_List_ACL remark ****** NAT Access List ******
          access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******
          access-list Split_Tunnel_List_ACL standard permit 192.168.60.0 255.255.255.0
          access-list inside_nat0_outside extended permit ip any 10.0.0.0 255.255.255.0
          access-list inside_out extended permit tcp host 192.168.60.1 any eq smtp
          access-list inside_out extended deny tcp any any eq smtp
          access-list inside_out extended permit ip any any
          pager lines 24
          logging enable
          logging asdm debugging
          mtu inside 1500
          mtu outside 1500
          ip local pool mypool 10.0.0.100-10.0.0.150 mask 255.255.255.0
          icmp unreachable rate-limit 1 burst-size 1
          asdm image disk0:/asdm-615.bin
          no asdm history enable
          arp timeout 14400
          global (outside) 1 interface
          nat (inside) 0 access-list inside_nat0_outside
          nat (inside) 1 0.0.0.0 0.0.0.0
          static (inside,outside) tcp interface smtp 192.168.60.1 smtp netmask 255.255.255.255 dns
          static (inside,outside) tcp interface https 192.168.60.1 https netmask 255.255.255.255
          access-group inside_out in interface inside
          access-group Outside_access_in in interface outside
          route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
          timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
          dynamic-access-policy-record DfltAccessPolicy
          aaa authentication ssh console LOCAL
          aaa authentication telnet console LOCAL
          http server enable 8443
          http 0.0.0.0 0.0.0.0 outside
          http 192.168.60.0 255.255.255.0 inside
          http 10.0.0.0 255.255.255.0 inside
          no snmp-server location
          no snmp-server contact
          snmp-server enable traps snmp authentication linkup linkdown coldstart
          crypto ipsec transform-set myset esp-3des esp-md5-hmac
          crypto ipsec security-association lifetime seconds 28800
          crypto ipsec security-association lifetime kilobytes 4608000
          crypto ipsec df-bit clear-df outside
          crypto dynamic-map dynmap 10 set pfs
          crypto dynamic-map dynmap 10 set transform-set myset
          crypto dynamic-map dynmap 10 set security-association lifetime seconds 86400
          crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
          crypto map mymap 65535 ipsec-isakmp dynamic dynmap
          crypto map mymap interface outside
          crypto isakmp enable outside
          crypto isakmp policy 10
          authentication pre-share
          encryption 3des
          hash md5
          group 2
          lifetime 86400
          telnet 192.168.60.0 255.255.255.0 inside
          telnet 10.0.0.0 255.255.255.0 inside
          telnet timeout 5
          ssh timeout 5
          console timeout 0
          management-access inside
          dhcpd auto_config outside
          !
          dhcpd address 192.168.60.254-192.168.60.254 inside
          !

          threat-detection basic-threat
          threat-detection statistics access-list
          no threat-detection statistics tcp-intercept
          webvpn
          port 444
          group-policy vpnclientgroup internal
          group-policy vpnclientgroup attributes
          dns-server value 192.168.60.1
          vpn-tunnel-protocol IPSec
          split-tunnel-policy tunnelspecified
          split-tunnel-network-list value Split_Tunnel_List_ACL
          default-domain value *****.local
          username nordiclo password L.JhbZhL/SmPj96Q encrypted
          username nordiclo attributes
          service-type remote-access
          username admhenko password cdQRwUUCVQrNcELX encrypted privilege 15
          username admerik password RtGfXNzv09UdQwvP encrypted privilege 15
          tunnel-group vpnclientgroup type remote-access
          tunnel-group vpnclientgroup general-attributes
          address-pool mypool
          default-group-policy vpnclientgroup
          tunnel-group vpnclientgroup ipsec-attributes
          pre-shared-key *
          !
          class-map inspection_default
          match default-inspection-traffic
          !
          !
          policy-map type inspect dns preset_dns_map
          parameters
          message-length maximum 512
          policy-map global_policy
          class inspection_default
          inspect dns preset_dns_map
          inspect ftp
          inspect h323 h225
          inspect h323 ras
          inspect rsh
          inspect rtsp
          inspect esmtp
          inspect sqlnet
          inspect skinny
          inspect sunrpc
          inspect xdmcp
          inspect sip
          inspect netbios
          inspect tftp
          !
          service-policy global_policy global
          prompt hostname context
          Cryptochecksum:e48ca6d944943dd8582f37eddc916c26
          : end
          asdm image disk0:/asdm-615.bin
          asdm location telavox 255.255.255.0 inside
          no asdm history enable

          Comment

          Working...
          X