1. Home
  2. Cisco Systems
  3. pix 501 problem with traffic

pix 501 problem with traffic

Hi, I have problem with traffic from internal network to external interface my PIX 501. Because I have one public IP (ex. 1.2.3.4) I defined port forwarding.

(...) access-list outside_in permit udp any any eq domain access-list outside_in permit tcp any any eq domain access-list outside_in permit tcp any any eq smtp

access-list inside_in permit tcp any any eq domain access-list inside_in permit udp any any eq domain access-list inside_in permit tcp any any eq smtp

(...) static (inside,outside) tcp interface domain 192.168.50.2 domain netmask

255.255.255.255 0 0 static (inside,outside) udp interface domain 192.168.50.2 domain netmask 255.255.255.255 0 0 static (inside,outside) tcp interface smtp 192.168.50.2 smtp netmask 255.255.255.255 0 0 (...)

And I can't connect to port 25 on IP 1.2.3.4 only from my internal network

192.168.50/24. What is wrong? Port forwarding?

Thanks

tomalo

Reply to
Tomalo
Loading thread data ...

In article , Tomalo wrote: :Hi, I have problem with traffic from internal network to external interface :my PIX 501. :Because I have one public IP (ex. 1.2.3.4) I defined port forwarding.

The configuration statements you included all look reasonable.

When you are not able to connect to 1.2.3.4 port 25, are you starting from "outside" the PIX or "inside" the PIX ?

If you are starting from "inside" the PIX, then you cannot do what you are attempting to do. The PIX 501 will never accept traffic on an interface, translate it, and forward it back out the -same- interface, as would be required in order for an inside system to use the public IP and have the port forwarded to the appropriate inside host.

There are a few different ways to deal with this. The more reasonable ones have you use the host *name* instead of the host *address*, and then arrange so that "inside" the PIX the name resolves to the internal IP but outside the PIX the name resolves to the public IP. This often involves adding the 'dns' keyword to your "static" statements, and -might- involve changing data in your DNS server.

Reply to
Walter Roberson

Thanks, I will try

tomalo

Reply to
tomalo

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.