checkpoint can cisco can't !!

formatting link
Unnn-belivable,

cisco HAS to be able to do that, I just called support and they said its not doable but I refurse to belive that.

Reply to
news8080
Loading thread data ...

You may have better luck calling a "local" Cisco TAC phone number:

formatting link
or your local Cisco Sales Office:

formatting link
Sincerely,

Brad Reese BradReese.Com Cisco Repair Service Experts

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA/Canada: 877-549-2680 International: 828-277-7272 United Kingdom: 44-20-70784294

Reply to
www.BradReese.Com

formatting link

Trust me, I can compare since I am working for a big MSS provider (like,

2000 PIX, 3500 CP, 1000 Netscreen + tons of IDS ~ 2000), PIX rocks where CP is just a bullshit to even load the GUI.

/ralph

Reply to
Ralph (c)

In article , snipped-for-privacy@yahoo.com wrote: :

formatting link
:Unnn-belivable,

:cisco HAS to be able to do that, I just called support and they said :its not doable but I refurse to belive that.

Cisco has to be able to do *what* ?

I re-read the thread, and couldn't make out what the problem was. Cisco has wccp2 and you don't say why that doesn't work for you: you just jumped right to a question about the exact IP address on a transaction from some undefined location to some other undefined location.

Break it down for us. You've turned on wccp, you have an outside system doing squid caching, you've added the wccp2 patch or wccpd to your squid box: now, what problem are you encountering?

Reply to
Walter Roberson

lets see if some ascii art makes sense, I just used port 80 as an example, I want to be able to do this forwarding for port 25.

original packet translated packet src dest. dest.port src dest. dest.port

192.168.50.100 any 25 192.168.50.100 192.168.51.2 25

Above is the translation I want to achieve

  1. request comes in from 192.168.50.100 to
    formatting link
  2. router intercepts the request and forward it to another internal host running mail server on port 25.
  3. client 192.168.50.100 gets a response as if it came from
    formatting link

checkpoint does this nicely with a single rule but I can't figure out how to do this with cisco.

Walter Robers> >

:

formatting link

Reply to
news8080

In article , snipped-for-privacy@yahoo.com wrote: :lets see if some ascii art makes sense, I just used port 80 as an :example, I want to be able to do this forwarding for port 25.

:1. request comes in from 192.168.50.100 to

formatting link
:2. router intercepts the request and forward it to another internal :host running mail server on port 25. :3. client 192.168.50.100 gets a response as if it came from :
formatting link

:checkpoint does this nicely with a single rule but I can't figure out :how to do this with cisco.

Repeating myself:

Have you tried the steps listed above?

formatting link

Reply to
Walter Roberson

You may find The Tolly Group Lab Test of the Check Point VPN-1 NG Firewall vs. Cisco PIX 515E Firewall and Check Point VPN-1 NG Firewall vs. Juniper NetScreen-204 Firewall interesting:

formatting link
Sincerely,

Brad Reese BradReese.Com Cisco vs. Competitor Lab Tests

formatting link

Reply to
www.BradReese.Com

You can forward port 25 but this by itself will not work. You need to double-NAT so the return packet gets back to the client and not the router.

formatting link
alan

Reply to
Alan Strassberg

In article , Alan Strassberg wrote: |In article , |Walter Roberson wrote: |>In article , |> snipped-for-privacy@yahoo.com wrote: |>:lets see if some ascii art makes sense, I just used port 80 as an |>:example, I want to be able to do this forwarding for port 25.

| You can forward port 25 but this by itself will not work. | You need to double-NAT so the return packet gets back | to the client and not the router.

|

formatting link
That's a useful article, but it doesn't support what you say about double-NAT. It shows a simple route-map with no NAT, and everything else taken care of within the relay mail host.

I'm not exactly sure which "return packet" you refer to. In the architecture requested by the OP, there is no communications between inside systems and outside, except that the filtering mailhost communicates with the outside. The only packets that need to return to the client are the packets from the filtering mailhost itself, and those return by normal mechanisms because the route-map is only set up to redirect traffic with a destination port of tcp 25, but in the return packets the destination port will be whatever random dynamic port the client allocated as its source port for the connection.

You posted essentially the same double-NAT warning before, and included a different link re: squid, but that other link didn't say anything about double-NAT either.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.