Port forwarding a range with Cisco ASA 5500

[Apple Of Sodom]

I am setting up a Cisco ASA 5505. I know how to forward a certain port (static rule and all that.) Now I want to port forward a range of ports because I will be running a passive sFTP server.

Using the GUI, how do I simply forward a port range to a single source? Surely I don't have to add a static rule for each port.

 

[jlazzaro]

ive never known of a way to NAT a specific port range on the ASA...major oversight ;/ if you use a 1on1 mapping without specifying the port number, all ports are forwarded. then use an access-list with the port range to control access.

static (inside,outside) a.a.a.a b.b.b.b netmask 255.255.255.255

a.a.a.a = public
b.b.b.b = private

 

[Tommouse]

If I understand your question correctly you can do the what jlazaro said but I'll add onto that you will probably need to open up said ports in whatever ACL the traffic will be hitting, if not done so already.

IE:
object-group service PassiveFTP tcp
port-object range 7000 7010
access-list inbound_ACL extended permit tcp any host a.a.a.a object-group PassiveFTP
static (inside,outside) a.a.a.a b.b.b.b netmask 255.255.255.255

a.a.a.a = public
b.b.b.b = private

 

[jlazzaro]

Originally posted by: Tommouse
object-group service PassiveFTP tcp
port-object range 7000 7010
access-list inbound_ACL extended permit tcp any host a.a.a.a object-group PassiveFTP
static (inside,outside) a.a.a.a b.b.b.b netmask 255.255.255.255
access-group inbound_ACL in interface outside

 

[Tbirdkid]

meh, the gui...

 

[Tommouse]

Originally posted by: jlazzaro

Originally posted by: Tommouse
object-group service PassiveFTP tcp
port-object range 7000 7010
access-list inbound_ACL extended permit tcp any host a.a.a.a object-group PassiveFTP
static (inside,outside) a.a.a.a b.b.b.b netmask 255.255.255.255
access-group inbound_ACL in interface outside

ah yes ... that part is important

a :beer: for you