PIX 501 - Port Range for Port Forwarding

[forumsviewer]

Is there a way to port forward a large range of ports (say 5,000 to 10,000 ports) to a specific internal IP address? I have read in other places that using STATIC port forwarding for a RANGE of ports does not work with the PIX line of firewall routers.

Because this seems like it would be a very common thing to do, I cannot believe that there is no tricks or work-arounds to getting a significant amount of ports all going to one internal IP address.

Obviously inputting 5000 to 10000 lines of coding, all with the ports incremental by one isnt the most efficient way of doing this. There has to be another way!!! Anyone have comments or suggestions on how to get a specific port range to essentially port forward to a specific internal ip address?

 

[Supergrrover]

As long as it is the same external and destination ip, you can do it for the whole ip and just let the ACL define the ports allowed in a range.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[forumsviewer]

Can you expound a little bit on what you mean?

There is only one destination IP address for any of the ports that we are forwarding.

 

[Supergrrover]

Great!! Then this will work for you - You forward the whole IP -

The static is a one to one mapping of the whole IP range -
static (inside,outside) [external_IP] [internal_IP] netmask 255.255.255.255

access-list outside_access_in permit [TCP/UDP] any [host ExternalIP] range [starting_Port#] [ending_Port#]


Apply the ACL to the outside interface -
access-group outside_access_in in interface outside




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[forumsviewer]

Is there major security conflicts by doing this? Ultimately, because of how far away all of the port ranges are, there are going to be a ton of "open ports" that are forwarded to the inside server.

What I mean is that there are single ports such as 1111 or 2222 and then a group range like 10000 to 20000. From how I read your statements it seems as though ALL trafficed ports will be forwarded to the internal IP address?

Of course, there are more computers on the PIX network than the single internal IP that these ports are forwarded to.

 

[Supergrrover]

Security wise - You asked for port forwarding a large range. That's how you do it.

Allow only what you need and block everything else. The incoming traffic is matched against the ACL and then goes through the mapping process. If it fails the ACL then it never goes any farther.

You can block specific excluded ports out of the ranges with ACL entries that precede the ACL entry with the range

access-list inbound deny tcp any interface outside eq 1111
access-list inbound deny tcp any interface outside eq 2222
access-list inbound permit tcp any interface outside range 1000 20000

You can also use object groups. They make your ACLs easier to read but don't really help the processor.





Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[forumsviewer]

Supergrrover - Thank you so much for your assistance! You are very generous with your time and expertise.

So if i understand you correctly, you can BLOCK a port range. Example:

access-list inbound deny tcp any interface outside range 1 20

access-list inbound deny tcp any interface outside range 5000 9000

(blocks all traffic between ports 20 and 9000).

or would I be better off with something like this:

access-list outside_access_in permit [TCP/UDP] any [host ExternalIP] range 21 4999

access-list outside_access_in permit [TCP/UDP] any [host ExternalIP] range 9001 20000



I guess I am a little confused on the access-lists and how they truly process the traffic. We are running a VOIP server which requires some ports open but everything else, if from the outside (internet) in (LAN) shouldn't even hit the VOIP server. Ultimately we are primarily looking at port forwarding the appropriate VOIP ports and which SIP requires a large range of over 10000 ports.

If we only permit specific port ranges with access-list like example two above, or if we deny specific port ranges like example one above, would normal traffic to the other computers and workstations behind the PIX 501 still work and function properly?

 

[Supergrrover]

Lets start with the ports you want forwarded
say tcp 5000 to 10000 needs to be forwarded to your internal server but you don't need port 5900 and 7000 to 8000. Access lists are processed from top down. The first ACE that they match is used.

access-list outside_access_in deny TCP any [host ExternalIP] eq 5900
access-list outside_access_in deny TCP any [host ExternalIP] range 7000 8000
access-list outside_access_in permit TCP any [host ExternalIP] range 5000 10000
access-list outside_access_in deny ip any any

The last line is put in for completeness and troubleshooting but there is an implied deny any any at the end of any ACL.

Hitting port 5900 gets blocked, ports 7000-8000 get blocked and all remaining ports out of 5000-10000 get forwarded. Anything outside of those gets blocked by default but shows on our deny ip any any entry.

All traffic that goes through the adaptive security algorithm gets put into a state table so inbound entries are added as needed to match traffic flows from the inside out so return traffic can get back to the internal requester.

Since you are using SIP take a look at these -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml

for caveats take a look at this and make sure you have a fixed os version -

http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[forumsviewer]

Supergrrover - I have that information in the access list already (range XXXX XXXX) but your coding above says [host ExternalIP].... I have "any" in replace of that and it still does not work. Also, if i have to put an actual external IP address there, how could I do that when the server it is coming from can change frequently or have many servers with dozens of IP addresses as external IP addresses that the source is coming from.