cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1214
Views
0
Helpful
8
Replies

5525-x making port forwarding

blackswans
Level 1
Level 1

Hi,

I've made object nat in the 5525-x firewall and give permission to these ports in the ACL. But we cannot access to these ports from outside? Are there any changes in these new firewall series?

Thanks.

object network xx_Exch_Rdp
  nat (Inside,Outside) static interface service tcp 3389 3389
object network xx_Exch_Send
  nat (Inside,Outside) static interface service tcp pop3 pop3
object network xx_Exch_Mapi
  nat (Inside,Outside) static interface service tcp imap4 imap4
object network xx_Exch_Pop3
  nat (Inside,Outside) static interface service tcp 587 587
object network xx_Exch_Smtp
  nat (Inside,Outside) static y.y.y.z service tcp smtp smtp

8 Replies 8

The NAT looks fine. What about the ACL? Remember that you have to use the real-address in the ACL and not the public/natted address.

So the ACL would be something like:

permit tcp any object xx_Exch_Rdp eq 3389

permit tcp any object xx_Exch_Send eq pop3

...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I think also the ACL seems to me good... I'm using the real ip addresses. But you say to use the object  I'm using the host keyword here... Is that wrong?

access-list Outside_access_in extended permit tcp any host PUBLIC_IP object-group DM_INLINE_TCP_1

object-group service DM_INLINE_TCP_1 tcp

port-object eq 3389

port-object eq 587

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

The host-keyword is perfectly fine. But it seems that you use the public IP in your ACL and not the real address. You need to use the address that your Exchange-server has configured on the interface.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ok I then I will try with the real host ip address which is a private ip. But we were using the public ip address in the older firewalls like 5510 5520...

Thanks.

On the 5510/5520 you probably didn't use a version 8.3+. There it changed from public to real address.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thank you very much for the information. I will try these.

Regards.

These nat translations are two way translations is it right? So if the server wants to go to internet it will go from the natted ip ?

Yes and no ... ;-)

They can be used from both sides which is what static translations are used for. But they are restricted to the tcp-ports 3389/imap/pop3 ... on the server side. And as it is unlikely that the server initiates a connection with source-port 110/143/... you need an additional entry for outgoing connections.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: