cisco HAS to be able to do that, I just called support and they said its not doable but I refurse to belive that.
- posted
18 years ago
cisco HAS to be able to do that, I just called support and they said its not doable but I refurse to belive that.
You may have better luck calling a "local" Cisco TAC phone number:
Brad Reese BradReese.Com Cisco Repair Service Experts
Trust me, I can compare since I am working for a big MSS provider (like,
2000 PIX, 3500 CP, 1000 Netscreen + tons of IDS ~ 2000), PIX rocks where CP is just a bullshit to even load the GUI./ralph
In article , snipped-for-privacy@yahoo.com wrote: :
:cisco HAS to be able to do that, I just called support and they said :its not doable but I refurse to belive that.
Cisco has to be able to do *what* ?
I re-read the thread, and couldn't make out what the problem was. Cisco has wccp2 and you don't say why that doesn't work for you: you just jumped right to a question about the exact IP address on a transaction from some undefined location to some other undefined location.
Break it down for us. You've turned on wccp, you have an outside system doing squid caching, you've added the wccp2 patch or wccpd to your squid box: now, what problem are you encountering?
lets see if some ascii art makes sense, I just used port 80 as an example, I want to be able to do this forwarding for port 25.
original packet translated packet src dest. dest.port src dest. dest.port
192.168.50.100 any 25 192.168.50.100 192.168.51.2 25Above is the translation I want to achieve
checkpoint does this nicely with a single rule but I can't figure out how to do this with cisco.
Walter Robers> >
:
In article , snipped-for-privacy@yahoo.com wrote: :lets see if some ascii art makes sense, I just used port 80 as an :example, I want to be able to do this forwarding for port 25.
:1. request comes in from 192.168.50.100 to
:checkpoint does this nicely with a single rule but I can't figure out :how to do this with cisco.
Repeating myself:
Have you tried the steps listed above?
You may find The Tolly Group Lab Test of the Check Point VPN-1 NG Firewall vs. Cisco PIX 515E Firewall and Check Point VPN-1 NG Firewall vs. Juniper NetScreen-204 Firewall interesting:
Brad Reese BradReese.Com Cisco vs. Competitor Lab Tests
You can forward port 25 but this by itself will not work. You need to double-NAT so the return packet gets back to the client and not the router.
In article , Alan Strassberg wrote: |In article , |Walter Roberson wrote: |>In article , |> snipped-for-privacy@yahoo.com wrote: |>:lets see if some ascii art makes sense, I just used port 80 as an |>:example, I want to be able to do this forwarding for port 25.
| You can forward port 25 but this by itself will not work. | You need to double-NAT so the return packet gets back | to the client and not the router.
|
I'm not exactly sure which "return packet" you refer to. In the architecture requested by the OP, there is no communications between inside systems and outside, except that the filtering mailhost communicates with the outside. The only packets that need to return to the client are the packets from the filtering mailhost itself, and those return by normal mechanisms because the route-map is only set up to redirect traffic with a destination port of tcp 25, but in the return packets the destination port will be whatever random dynamic port the client allocated as its source port for the connection.
You posted essentially the same double-NAT warning before, and included a different link re: squid, but that other link didn't say anything about double-NAT either.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.