List Info

Thread: Port Forwarding/Redirecting
Port Forwarding/Redirecting
user name
 2006-05-25 00:15:01 
Static statements are "read" like:

static (contacting this network,from this network)
<operator> listen on this IP <port> translate
incoming traffic to this IP <port> netmask
255.255.255.255 0 0

Applying that logic, here is how you should write your
static map:
static (inside,outside) tcp 111.111.111.111 25
222.222.222.222 25 netmask 255.255.255.255 0 0

Also, make sure your access-list applied to your outside
interface will allow the incoming traffic.

Hope this helps!
Aaron

---------- Original Message
----------------------------------
From: "jeffrey_wenzel" <jeffrey_wenzelyahoo.com>
Reply-To: PIX_Firewall@yahoogroups.com
Date:  Tue, 23 May 2006 18:54:28 -0000

>This can't be very difficult to do but damn if I can't
get it to work.
>
>I have read over and over again every example I've
found on the web 
>to no avail.
>
>I've got a PIX 515 v6.3.
>Anti-spam device behind firewall.
>smtp server behind firewall.
>
>My PIX is up and running with no troubles as is the smtp
server (have 
>been for a few years now), we just added the anti-spam
device, I know 
>I could do this via DNS and MX records if I have to, but
would like 
>to do it with port forwarding/redirecting.
>
>Trying to forward ALL incoming smtp traffic to the
anti-spam device 
>which will then either kill spam or forward good mail to
the smtp 
>server.
>
>Internet ---incomming traffic---->  PIX ---smtp
traffic---> antispam -
>---> smtp server
>                                     |
>                                     |
>                                     V
>                               all other traffic
>
>Assume PIX outside IP = 111.111.111.111
>Assume antispam IP    = 222.222.222.222
>Assume smtp server IP = 222.222.222.333
>
>All IPs are static, no dhcp, no nat.
>
>Current config looks like this (some parts removed as
not necessary):
>
>interface ethernet0 auto
>interface ethernet1 auto
>nameif ethernet0 outside security0
>nameif ethernet1 inside security100
>names
>name 222.222.222.222 antispam
>name 222.222.222.333 smtpserver
>access-list ACL_OUT permit tcp any host smtpserver eq
domain 
>access-list ACL_OUT permit tcp any host smtpserver eq
ssh 
>access-list ACL_OUT permit tcp any host smtpserver eq
pop3 
>access-list ACL_OUT permit tcp any host smtpserver eq
smtp 
>access-list ACL_OUT permit tcp any host smtpserver eq
imap4 
>access-list ACL_OUT permit udp any host smtpserver eq
domain
>access-list ACL_OUT permit tcp any host antispam eq ssh
>access-list ACL_OUT permit tcp any host antispam eq smtp
>access-list ACL_OUT permit tcp any host antispam eq
domain
>access-list ACL_OUT permit udp any host antispam eq
domain
>access-list ACL_OUT permit udp any host antispam eq ntp
>access-list ACL_OUT permit tcp any host antispam eq www 
>ip address outside 111.111.111.111 255.255.255.252
>ip audit info action alarm
>ip audit attack action alarm
>nat (inside) 0 0.0.0.0 0.0.0.0 0 0
>static (inside,outside) smtpserver smtpserver netmask
255.255.255.255 
>0 0 
>static (inside,outside) antispam antispam netmask
255.255.255.255 0 0 
>access-group ACL_OUT in interface outside
>
>#Configed as above all smtp traffic goes to the smtp
server as normal 
>and all users get their eamil with no problems at all
(have been for 
>years).
>#according to the example at the cisco site I made the
following 
>change:
>
>Changed - static (inside,outside) smtpserver smtpserver
netmask 
>255.255.255.255 0 0
>     to - static (inside,outside) tcp smtpserver smtp
antispam smtp 
>netmask 255.255.255.255 0 0
>
>#Nothing happens, all smtp traffic appears to go
directly to the smtp 
>server, users still getting all emails. Yes the antispam
machine is 
>on and ready to accept incoming smtp traffic.
>
>If the above config looks okay, then I'll try to dig
deeper via logs 
>to see whats up.
>
>Thank in advance for any help.
>
>
>
>
>
>
>
>
>
>
> 
>Yahoo! Groups Links
>
>
>
> 
>
>
>
>________________________________________________________
______________
>This email has been scanned by the MessageLabs Email
Security System.
>For more information please visit http://www.messagela
bs.com/email 
>________________________________________________________
______________
>
 




____________________________________________________________
____
Sent via the WebMail system at imcu.com


 
                   




------------------------ Yahoo! Groups Sponsor
--------------------~--> 
Get to your groups with one click. Know instantly when new
email arrives
http://us.click.yahoo.com/.7bhrC/MGxNAA/yQLSAA/kgFolB/TM

------------------------------------------------------------
--------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://gr
oups.yahoo.com/group/PIX_Firewall/

<*> To unsubscribe from this group, send an email to:
    PIX_Firewall-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.c
om/info/terms/
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )