topic Re: Pix 515E Port Forward in Network Security

Pix 515E Port Forward

dancox — Mon, 11 Mar 2019 13:51:48 GMT

I'm having some trouble with port forwarding on a 515E pix.

I have the following commands in the config

static (inside,outside) tcp 11.11.11.11 smtp 10.0.0.55 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.11.11.11 www 11.11.11.11 www netmask 255.255.255.255 0 0

The goal is to have smtp traffic go to 10.0.0.55 and http traffic to go to the 11.11.11.11 (a public ip). Problem is, none of the traffic is being port forwarded, it is going to the 11.11.11.11 address.

Any help is appreciated.

Dan Cox

Re: Pix 515E Port Forward

suschoud — Wed, 01 Oct 2008 17:39:19 GMT

First of all,

you did not meention if you have an access list defined on outside interface to allow this traffic.

You need to have the following config. along with your existing config. for this to work :

access-l 101 permit tcp any host 11.11.11.11 eq smtp

access-l 101 permit tcp any host 11.11.11.11 eq www

access-l 101 in interface outside

##############

Also :

Is 11.11.11.11 outside interface ip address.

If that is true :

Use :

static (inside,outside) tcp interface smtp 10.0.0.55 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 11.11.11.11 www netmask 255.255.255.255 0 0

access-l 101 permit tcp any interface outside eq smtp

access-l 101 permit tcp any interface outside eq www

access-l 101 in interface outside

Do rate helpful posts.

Regards,

Sushil

Re: Pix 515E Port Forward

dancox — Thu, 02 Oct 2008 19:21:27 GMT

Sushi,

Thanks for the reply.

I do have an access list in place allowing the traffic and we have multiple "outside" IP's. I think the issue is with my nat/pat setup.

I should have mentioned that 1.1.1.34 is the servers address on the inside network (we don't nat everything). I originally wanted to forward all smtp traffic to 10.0.0.55, but let http traffic continue on to 1.1.1.34 (no nat). When I do show xlate | include 1.1.1.34 I get

Global 1.1.1.34 Local 1.1.1.34

When I clear xlate I get the same thing.

I'm expecting to see

Global 1.1.1.34(25) Local 10.0.0.55(25)

Global 1.1.1.34(80) Local 1.1.1.34(80)

And if I clear xlate enough I sometimes see this, but then it stops and goes back to Global 1.1.1.34 Local 1.1.1.34.

For testing purposes I changed static to

static (inside,outside) tcp 1.1.1.34 smtp 10.0.0.55 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.1.1.34 www 10.0.0.34 www netmask 255.255.255.255 0 0

But I still get Global 1.1.1.34 Local 1.1.1.34

I don't have 1.1.1.34 in global or nat so I'm not sure why it's being globally translated to itself.

Thanks for the help.

Dan

Re: Pix 515E Port Forward

suschoud — Thu, 02 Oct 2008 19:24:31 GMT

Please post,

sh run nat

sh run glo

sh run nat-control

sh run stat

If you are running 6.x-->

sh nat

sh glo

sh static

Regards,

Sushil