Re: [fw-wiz] NAT a range of TCP ports to an internal IP address onpix 506E

From: "Fetch, Brandon" <bfetch@xxxxxxx>
Date: Mon, 28 Jan 2008 16:41:05 -0500

More specifically - you're inbound NAT already encompasses port 80; the
new one is a one-for-one NAT instead of more-specific ports.

The added static must be:

static (inside,outside) tcp x.x.x.x VoIP-port1 192.168.1.6 VoIP-port1
netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x VoIP-port2 192.168.1.6 VoIP-port2
netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x VoIP-port3 192.168.1.6 VoIP-port3
netmask 255.255.255.255 0 0
....

You can cheat/easily manage this better by creating an object-group; you
can create one for protocols, networks, or services (IP ports).

If you create an "object-group service" and specify your VoIP ports (TCP
or UDP), your static could be one line instead of 62:

static (inside,outside) tcp x.x.x.x object-group VoIP-Group 192.168.1.6
VoIP-Group netmask 255.255.255.255 0 0

This makes management easier since you don't have to input 62 lines of
static configurations with the equivalent inbound ACL changes as well
(you can use object-groups as part of any configuration task).

HTH,
Brandon

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
kevin horvath
Sent: Thursday, January 24, 2008 9:18 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] NAT a range of TCP ports to an internal IP address
onpix 506E

you already have a translation. Do a "sh nat" and see where the
conflict is and then remove or modify the translations.

On Jan 23, 2008 1:50 PM, Chris Smith <chris.smith@xxxxxxxxxxx> wrote:

Best regards firewall list readers!

We have a Cisco pix 506E running software version 6.3 (5)

We also have a VOIP server on the internal network at 192.168.1.6. We

need to NAT a range of TCP ports to this VOIP server. The port range is
49152 through 49214.

The connections come in from the internet and need to be natted

through the pix to this internal VOIP server.

We believe we already have the access list rules in place to allow the

connections. We just need a translation rule to allow this group of
ports.

The IP address of the internal interface on the pix is 192.168.1.2

The command that is not working is:

static (inside,outside) x.x.x.x 192.168.1.6

We are currently getting this error when trying to setup the rule.

WARNING: mapped-address conflict with existing static
tcp from inside:server/80 to outside:x.x.x.x/80 netmask

255.255.255.2

55
WARNING: mapped-address conflict with existing static
tcp from inside:server/25 to outside:x.x.x.x/25 netmask

255.255.255.2

55
WARNING: mapped-address conflict with existing static
tcp from inside:server/110 to outside:x.x.x.x/110 netmask

255.255.255

.255

Any insight is appreciated.
Thanks to all.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

References:
- [fw-wiz] NAT a range of TCP ports to an internal IP address on pix 506E
  - From: Chris Smith
- Re: [fw-wiz] NAT a range of TCP ports to an internal IP address on pix 506E
  - From: kevin horvath

Prev by Date: Re: [fw-wiz] Enforcing content filtering with PIX515E
Next by Date: [fw-wiz] Firewall policy generator, capture based - Any idea?
Previous by thread: Re: [fw-wiz] NAT a range of TCP ports to an internal IP address on pix 506E
Next by thread: [fw-wiz] Firewall policy generator, capture based - Any idea?
Index(es):
- Date
- Thread

Relevant Pages

=?iso-8859-1?Q?Re:_VPN_zur_LAN-=B4LAN=B4_Kopplung=3F?=
... User, hat aber ein NAT davor, das alle Ports zu macht. ... Aus dem Internet kommt also nichts durch :-( ... Open VPN hatte ich mir schon mal angeschaut. ...
(microsoft.public.de.german.windows.server.networking)
Re: How did they get behind my NAT?
... my previous ADSL provider, Telefonica Spain. ... NAT is implemented - is the ADSL device doing the NAT or do you have a ... Sorry I wasn't clear - the ADSL router is the NAT device. ... that use NAT to 1 IP, but they forward ALL ports inbound to that IP - so ...
(alt.computer.security)
Re: Azureus suddenly stops
... So you can have NAT problem and still be downloading, ... restricted Azureus I would get no traffic at all. ... You have to actually open the ports (the ones you've specified in the ... So if you want to quiet your rig, input some cold outside air into it. ...
(comp.sys.mac.system)
Re: Open Ports
... I'm using portqry, the one included in the support tools. ... > NAT server. ... > I mapped my ports correctly on the NAT. ... >>the internet, being installed on an internal workstation. ...
(microsoft.public.windows.server.networking)
Re: Cisco 806 Help
... I want to use 168.1.1.5 as a NAT address to all of my computers in the ... I only want to open up ports ... figure out the access-lists for getting my clients to see the internet. ...
(comp.security.firewalls)