topic Re: PIX 515e 6.3. Port redirect question in Network Security

PIX 515e 6.3. Port redirect question

Armegeden — Mon, 11 Mar 2019 13:41:12 GMT

This is what I currently have:

access-list incoming permit tcp any host 2.3.245.131 eq www

access-list incoming permit tcp any host 2.3.245.131 eq https

ip address outside 2.3.245.134 255.255.255.192

static (inside,outside) 2.3.245.131 192.168.1.10 netmask 255.255.255.255 0 0

But I want to redirect SMTP traffic to 192.168.1.6. I know the syntax for:

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255

But if I were to use:

static (inside,outside) tcp interface smtp 192.168.1.6 smtp netmask 255.255.255.255

Wouldn't that be a problem? One that "interface" is referring to "2.3.245.134", NOT the .131 address I need the traffic to go to.

So how do I do this? How do I redirect SMTP traffic from an IP address that lies behind the "outside" interface to one LAN address, while redirecting HTTPS and WWW traffic to another LAN address?

Any help would be greatly appreciated!

Re: PIX 515e 6.3. Port redirect question

satish_zanjurne — Tue, 09 Sep 2008 05:26:08 GMT

Hi,

1.PAT address can be a virtual address , different from outside address.

2.It should be reachable from internet/outside.

3.If you want use"interface" keyword in your static statements, you need to modify your incoming access-list to permit to 2.3.245.134 instead of 2.3.245.131

4.And the way you have redircted WWW & HTTPS traffic, you can redirect SMTP also same way..

HTH...rate if helpful..

Re: PIX 515e 6.3. Port redirect question

Armegeden — Tue, 09 Sep 2008 10:14:35 GMT

Hmm,

I do not think I am understanding.

2.3.245.131 is an IP address within our block. 2.3.245.134 happens to be the address we gave to the PIX. x.131 is the address we're using for Mail.

I need to keep x.134 the outside address, but I need to route traffic SMTP destined for x.131 to a different LAN address than WWW/HTTPS. But both SMTP+WWW/HTTPS will be going toward WAN address x.131.

Does this make sense?

I believe I have the access-list statements correct. It's the static mapping I'm having trouble with.

Basically I need this to happen:

static (inside,outside) tcp 2.3.245.131 www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside) tcp 2.3.245.131 https 192.168.1.10 https netmask 255.255.255.255

static (inside,outside) tcp 2.3.245.131 smtp 192.168.1.6 smtp netmask 255.255.255.255

But I keep getting an error...

Re: PIX 515e 6.3. Port redirect question

satish_zanjurne — Tue, 09 Sep 2008 12:52:38 GMT

1.If you are using 2.3.245.131 as outside address for static, then access-list is correct

2.If you are using 2.3.245.1354 which is outside interface address, as you have mentioned, then access-list should contain 2.3.245.134

3.Your configuration is correct

4.What is the error you are getting ??

Also refer below mentioned document..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10

HTH...arte if helpful..

Re: PIX 515e 6.3. Port redirect question

lreger — Wed, 10 Sep 2008 04:19:00 GMT

Try this

static (inside,outside) tcp 2.3.245.131 www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 2.3.245.131 https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 2.3.245.131 smtp 192.168.1.6 smtp netmask 255.255.255.255 0 0