Hi, we have 2 Cisco PIX one on each of our 2 sites. IPSEC VPN tunnel between the
2 working perfectly. I want to forward port 25 and port 443 from the WAN IP of the PIX in site-A to a LAN IP of a server in site-B.Have tried all the normal static mappings that work fine where its all on the same site but cannot get this setup to work. I'm not even sure if its possible. Any help or pointers very much appreciated.
thanks, Brian.
Well you do not mention the version you are running, but I do not think it will work, when the PIX receives the request for 443 and 25 on the outside interface it has to send the packet back out of the outside interface which is not allowed in PIX 6.X code. Not sure if 7 would work either.
What you could do if you have an extra router is bring the request inside of the PIX to a router then have the router route the traffic back across the VPN tunnel, maybe?
U¿ytkownik Brian napisa³:
If you have 6.3 or leter, use static command and ACL permit functions, but this forward propably is not posible...(AS Algorithm) (LANsideA to
-> WAN sideB). You must forward wanIP side A to wan IP side B it wil be work corectly. If you have 6.3 or leter, use static command and ACL permit functions, but this forward propably is not posible...(AS Algorithm) (LANsideA to -> WAN sideB). You must forward wanIP side A to wan IP side B. It wil be work corectly.
U¿ytkownik Brian napisa³:
If you have 6.3 or leter, use static command and ACL permit functions, but this forward propably is not posible...(AS Algorithm) (LANsideA to
-> WAN sideB). You must forward wanIP side A to wan IP side B it wil be work corectly.
Hi, how can I forward a WAN side port to another WAN side port though (using just PIX)? Surely this involves sending back out on same interface it arrived on?
thanks.
{|interface} { [netmask ]} | {access-list } [dns] [norandomseq] [ []] [no] static [(real_ifc, mapped_ifc)] {tcp|udp} {|interface} { [netmask ]} | {access-list } [dns] [norandomseq] [ []]
For example:
static (inside,outside) tcp ....
static:
a:) ( Open parenthesis for (,) pair where is the Internal or prenat interface and is the External or postnat interface
b:) Hostname or A.B.C.D Global or mapped address interface Global address overload from interface tcp TCP to be used as transport protocol udp UDP to be used as transport protocol
Hostname or A.B.C.D Real IP address of the host or hosts access-list Configure access-list name after this keyword
c:) configure mode commands/options: The maximum number of simultaneous tcp connections the local IP hosts are to allow, default is 0 which means unlimited connections. Idle connections are closed after the time specified by the timeout conn command dns Use the created xlate to rewrite DNS address record netmask Configure Netmask to apply to IP addresses norandomseq Disable TCP sequence number randomization tcp Configure TCP specific parameters udp Configure UDP specific parameters
Usage: [no] static [(real_ifc, mapped_ifc)] {|interface} { [netmask ]} | {access-list } [dns] [norandomseq] [ []] [no] static [(real_ifc, mapped_ifc)] {tcp|udp} {|interface} { [netmask ]} | {access-list } [dns] [norandomseq] [ []]
For example:
static (inside,outside) tcp ....
static:
a:) ( Open parenthesis for (,) pair where is the Internal or prenat interface and is the External or postnat interface
b:) Hostname or A.B.C.D Global or mapped address interface Global address overload from interface tcp TCP to be used as transport protocol udp UDP to be used as transport protocol
Hostname or A.B.C.D Real IP address of the host or hosts access-list Configure access-list name after this keyword
c:) configure mode commands/options: The maximum number of simultaneous tcp connections the local IP hosts are to allow, default is 0 which means unlimited connections. Idle connections are closed after the time specified by the timeout conn command dns Use the created xlate to rewrite DNS address record netmask Configure Netmask to apply to IP addresses norandomseq Disable TCP sequence number randomization tcp Configure TCP specific parameters udp Configure UDP specific parameters
ok, have already tried using static, but from what you say this should work on site-A PIX:
static (inside,outside) tcp interface smtp mailserver-on-site-B smtp netmask
255.255.255.255 0 0where the site-A PIX internal LAN IP is 192.168.1.1 and site-B PIX is 192.168.2.1 and mailserver-on-site-B is for example 192.168.2.10
My concern is that this cannot work as the traffic did not orginate on the LAN side of site-A PIX so its having to come in and go back out on the site-A PIX external interface. To be clear, what I want to achieve with the above is that SMTP traffic arriving on outside of site-A PIX ends up at mailserver-on-site-B.
thanks for your assistance.
I am not sure, that it is possible...
This is not possible on the same security level.
Starting with 7.0 you can forward between different interfaces of the same level configuring "same-security-taffic inter-interface" in global configuration mode.
Starting with 7.0 you can forward between differnet VPN tunnels on the same interface configuring "same-security-taffic intra-interface" in global configuration mode.
Starting with 7.2.1 you can forward without restriction on the same interface configuring "same-security-taffic intra-interface" in global configuration mode.
HTH
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.