Pix static map port range

Discussion in 'Cisco' started by peter breugel, Jan 7, 2005.

  1. I can't seem to work out the right syntax to map a RANGE of ports to a
    particular internal IP. The application is a Vonage VOIP device. I need
    to map number of ports to this device. I can create an object group that
    represents the specific ports and / or range of ports that I want to
    map. I can use this in the access-list, but I can't use it in any way
    that I can think of to map an object-group or a NAME to the internal
    address of the device. I hate describing the ports in more than one
    place, and I don't want to have a bunch of static map statements when a
    range or an object group will do...

    For example, here is the group for the access-list

    name 192.168.1.11 vonage

    object-group service sipudp udp
    port-object range 10050 10053

    how can I use a group object rather than map port by port e.g..

    ; This looks stupid to me and is impractical for a lot of ports such
    static (inside,outside) udp interface 10050 vonage 10050 netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface 10051 vonage 10051 netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface 10052 vonage 10052 netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface 10053 vonage 10053 netmask
    255.255.255.255 0 0

    Am I trying to do something that the Pix can't do? I tried defining a
    group-object as a protocol as well as a service without success. Maybe I
    didn't do it right.

    This seems really strange. Did Cisco define something that I missed?
    Don't flame me.. I am pretty sure that this is a Homer Simpson thing.. :)
    peter breugel, Jan 7, 2005
    #1
    1. Advertising

  2. In article <crktj5$mak$>,
    peter breugel <> wrote:
    :I can't seem to work out the right syntax to map a RANGE of ports to a
    :particular internal IP.

    I'm not -sure- this will work, but try this:

    name 192.168.1.11 vonage

    object-group service sipudp udp
    port-object range 10050 10053

    access-list SipPortMap permit udp host vonage object-group sipudp any

    nat (inside) 1 access-list SipPortMap

    static (inside, outside) interface access-list SipPortMap
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
    Walter Roberson, Jan 7, 2005
    #2
    1. Advertising

  3. peter breugel

    AJN Guest

    For the PIX to support SIP calls, signaling messages for media connection
    addresses, media ports and embryonic connection must be inspected, that's
    why verify if the is the PIX configured to inspect it first.

    Here you can specify a port range:

    fixup protocol sip udp 10050-10053

    You can verify then all active SIP connection by:

    show conn state sip
    AJN, Jan 7, 2005
    #3
  4. Walter Roberson wrote:
    > In article <crktj5$mak$>,
    > peter breugel <> wrote:
    > :I can't seem to work out the right syntax to map a RANGE of ports to a
    > :particular internal IP.
    >
    > I'm not -sure- this will work, but try this:
    >
    > name 192.168.1.11 vonage
    >
    > object-group service sipudp udp
    > port-object range 10050 10053
    >
    > access-list SipPortMap permit udp host vonage object-group sipudp any
    >
    > nat (inside) 1 access-list SipPortMap
    >
    > static (inside, outside) interface access-list SipPortMap


    Sadly that doesn't work. It sounds right, but the error message seems to
    imply that the static mapping just doesn't WANT to allow a port range.

    Setting up the list and then mapping using the suggested syntax
    static (inside, outside) interface access-list SipPortMap

    returns

    "ERROR: access-list port specifies a range"

    -p-
    peter breugel, Jan 25, 2005
    #4
  5. AJN wrote:
    > For the PIX to support SIP calls, signaling messages for media connection
    > addresses, media ports and embryonic connection must be inspected, that's
    > why verify if the is the PIX configured to inspect it first.
    >
    > Here you can specify a port range:
    >
    > fixup protocol sip udp 10050-10053
    >
    > You can verify then all active SIP connection by:
    >
    > show conn state sip
    >
    >

    I have the fixup statement, but without static mapping of the ports to
    the device it won't work.
    peter breugel, Jan 25, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Weiguang Shi
    Replies:
    1
    Views:
    4,446
  2. Gregory Chagnon

    pix static map

    Gregory Chagnon, Jan 19, 2004, in forum: Cisco
    Replies:
    1
    Views:
    511
    Walter Roberson
    Jan 19, 2004
  3. Nieuws Xs4all
    Replies:
    0
    Views:
    613
    Nieuws Xs4all
    May 26, 2005
  4. Scott Townsend
    Replies:
    1
    Views:
    408
    Walter Roberson
    Jan 23, 2007
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    521
    bod43
    Jul 27, 2009
Loading...

Share This Page