Port Forwarding/Redirecting

Thread: Port Forwarding/Redirecting

Search this list only Search all lists
Port Forwarding/Redirecting
	2006-05-25 08:21:59
Hi Jeffrey,   Everything looks like from your current configuration.    lets say your domain name is xyz.com and your e-mail id is xyz.com">abcxyz.com now If I send you an e-mail, my smtp server will check the domain name xyz.com and it will retrieve the IP address 222.222.222.333. Since everything is correct at your end and the mail will be delivered to 222.222.222.333 which is your smtp server. To get the mail delivered to 222.222.222.222 either you should ask your registering authority to change the domain name or you interchange the ip address of your smtp server and anti-span device.   Additionally you may change the setup at firewall itself.   no static (inside,outside) smtpserver smtpserver netmask 255.255.255.255 0 0  no static (inside,outside) antispam antispam netmask 255.255.255.255 0 0 static (inside,outside)  antispam smtpserver netmask 255.255.255.255 0 0   Here you will bind your registered ip to the ip of spam device.   Hope this will work. Let me know if you require further help.   Also you should note that your ant-spam device is configured to delver the scanned mails to smtp server. for outgoing mails you mail configure smtp server to deliver mails to anti-spam device so that outbound mails are scanned and then delivered.   Thanks & Regards Jasbir Saharan +91 9810050530 From: PIX_Firewall@yahoogroups.com [mailto:PIX_Firewall@yahoogroups.com] On Behalf Of jeffrey_wenzel Sent: Wednesday, May 24, 2006 12:24 AM To: PIX_Firewall@yahoogroups.com Subject: [PIX_Firewall] Port Forwarding/Redirecting This can't be very difficult to do but damn if I can't get it to work. I have read over and over again every example I've found on the web to no avail. I've got a PIX 515 v6.3. Anti-spam device behind firewall. smtp server behind firewall. My PIX is up and running with no troubles as is the smtp server (have been for a few years now), we just added the anti-spam device, I know I could do this via DNS and MX records if I have to, but would like to do it with port forwarding/redirecting. Trying to forward ALL incoming smtp traffic to the anti-spam device which will then either kill spam or forward good mail to the smtp server. Internet ---incomming traffic---->  PIX ---smtp traffic---> antispam - ---> smtp server          ;           ;           ;      |            ;           ;           ;    |   ;           ;           ;           ;  V     ;           ;           ;     all other traffic Assume PIX outside IP = 111.111.111.111 Assume antispam IP    = 222.222.222.222 Assume smtp server IP = 222.222.222.333 All IPs are static, no dhcp, no nat. Current config looks like this (some parts removed as not necessary): interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 names name 222.222.222.222 antispam name 222.222.222.333 smtpserver access-list ACL_OUT permit tcp any host smtpserver eq domain access-list ACL_OUT permit tcp any host smtpserver eq ssh access-list ACL_OUT permit tcp any host smtpserver eq pop3 access-list ACL_OUT permit tcp any host smtpserver eq smtp access-list ACL_OUT permit tcp any host smtpserver eq imap4 access-list ACL_OUT permit udp any host smtpserver eq domain access-list ACL_OUT permit tcp any host antispam eq ssh access-list ACL_OUT permit tcp any host antispam eq smtp access-list ACL_OUT permit tcp any host antispam eq domain access-list ACL_OUT permit udp any host antispam eq domain access-list ACL_OUT permit udp any host antispam eq ntp access-list ACL_OUT permit tcp any host antispam eq www ip address outside 111.111.111.111 255.255.255.252 ip audit info action alarm ip audit attack action alarm nat (inside) 0 0.0.0.0 0.0.0.0 0 0 static (inside,outside) smtpserver smtpserver netmask 255.255.255.255 0 0 static (inside,outside) antispam antispam netmask 255.255.255.255 0 0 access-group ACL_OUT in interface outside #Configed as above all smtp traffic goes to the smtp server as normal and all users get their eamil with no problems at all (have been for years). #according to the example at the cisco site I made the following change: Changed - static (inside,outside) smtpserver smtpserver netmask 255.255.255.255 0 0    ;  to - static (inside,outside) tcp smtpserver smtp antispam smtp netmask 255.255.255.255 0 0 #Nothing happens, all smtp traffic appears to go directly to the smtp server, users still getting all emails. Yes the antispam machine is on and ready to accept incoming smtp traffic. If the above config looks okay, then I'll try to dig deeper via logs to see whats up. Thank in advance for any help.