PIX 501 Multiple Outside Ports to Single Inside Port
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by Paul Smedshammer on May 1, 2008, 8:15 pm
Please log in for more thread options I'm trying to fix our remote e-mail folks. I have no problem forwarding a single port from the outside to the inside. So say Outside port 25 is forwarded to our internal e-mail server on port 25. What I'm trying to do is forward two outside port 25 and port 587 to our inside server listening on port 25. Is this possible with a PIX 501? We are currently using: static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0 if I add another line in say: static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask 255.255.255.255 0 0 I get an error about overlapping. This has to be possible, I'm just going about it wrong. I have scoured the web and I can see how it can be done in a Linux environment with IP Tables, but I have not found a reference to do this in a CISCO PIX. | ||||||||||||||||||||||
|
Posted by flamer die.spam@hotmail.com on May 1, 2008, 9:20 pm
Please log in for more thread options object-group service MyMail tcp port-object eq smtp port-object eq 587 exit static (inside,outside) tcp interface MyMail 10.0.0.2 smtp netmask 255.255.255.255 0 0 havent got anything here to test it with but should put you on the right track at least. Now if the port forward command doesnt like the service name in there you just need to use an access-list in your nat statement instead. Lots of examples on cisco.com Flamer. | ||||||||||||||||||||||
|
Posted by Brian V on May 1, 2008, 10:08 pm
Please log in for more thread options
No, you cannot do that. While logically it would work inbound it would break going out. How would the smtp packet know which port to pat to on the way out. This is the same reason why you cannot have multiple publics nat'd to a single private. | ||||||||||||||||||||||
|
Posted by Paul Smedshammer on May 2, 2008, 12:05 am
Please log in for more thread options
>> PIX 501 Multiple Outside Ports to Single Inside Port.
>> What I'm trying to do is forward two outside port 25 and port 587 to >> our inside server listening on port 25. Is this possible with a PIX >> 501? >> We are currently using: >> >> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask >> 255.255.255.255 0 0 >> >> if I add another line in say: >> >> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask >> 255.255.255.255 0 0 >> >> I get an error about overlapping. This has to be possible, I'm just >> going about it wrong. I have scoured the web and I can see how it >> can be done in >> a Linux environment with IP Tables, but I have not found a reference >> to do this in a CISCO PIX. >
> No, you cannot do that. While logically it would work inbound it would > break going out. How would the smtp packet know which port to pat to > on the way out. This is the same reason why you cannot have multiple > publics nat'd to a single private. > I was worried about that. So, this is really something I can't do. I need to find another way to have our e-mail server listen on two different ports and then forward both those ports from the PIX. Thanks, I have been beating my head at this for a while and was thinking that maybe it can't be done. | ||||||||||||||||||||||
|
Posted by Morph on May 2, 2008, 4:21 am
Please log in for more thread options Paul Smedshammer wrote:
| | >> PIX 501 Multiple Outside Ports to Single Inside Port.
| >> What I'm trying to do is forward two outside port 25 and port 587 to | >> our inside server listening on port 25. Is this possible with a PIX | >> 501? | >> We are currently using: | >> | >> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask | >> 255.255.255.255 0 0 | >> | >> if I add another line in say: | >> | >> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask | >> 255.255.255.255 0 0 | >> | >> I get an error about overlapping. This has to be possible, I'm just | >> going about it wrong. I have scoured the web and I can see how it | >> can be done in | >> a Linux environment with IP Tables, but I have not found a reference | >> to do this in a CISCO PIX. | >
|
| > No, you cannot do that. While logically it would work inbound it would | > break going out. How would the smtp packet know which port to pat to | > on the way out. This is the same reason why you cannot have multiple | > publics nat'd to a single private. | > | I was worried about that. So, this is really something I can't do. I | need to find another way to have our e-mail server listen on two | different ports and then forward both those ports from the PIX. Thanks, | I have been beating my head at this for a while and was thinking that | maybe it can't be done. How about putting a second IP address on your server and then set it to listen on that address using the second port you need. Then you wont have a problem forwarding the port on the PIX since you will be forwarding the port to another address. | ||||||||||||||||||||||
>
> I'm trying to fix our remote e-mail folks. I have no problem forwarding a
> single port from the outside to the inside. So say Outside port 25 is
> forwarded to our internal e-mail server on port 25.
>
> What I'm trying to do is forward two outside port 25 and port 587 to our
> inside server listening on port 25. Is this possible with a PIX 501?
>
> We are currently using:
>
> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
> 255.255.255.255 0 0
>
> if I add another line in say:
>
> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
> 255.255.255.255 0 0
>
> I get an error about overlapping. This has to be possible, I'm just going
> about it wrong. I have scoured the web and I can see how it can be done
> in
> a Linux environment with IP Tables, but I have not found a reference to do
> this in a CISCO PIX.