Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
4
Replies

Port redirecting with pix

Go to solution
0rsnaric
Level 1
Level 1

‎06-09-2004 09:33 AM - edited ‎02-20-2020 11:27 PM

Hi, I'm trying to set up port redirection on a PIX 515 running version 6.3(3), and getting nowhere fast.

The idea is to redirect port 25 traffic to port 2525 and the static command I've tried is as follows -

static (inside,outside) tcp X.X.X.X 25 Y.Y.Y.Y 2525 netmask 255.255.255.255 0 100

Where X.X.X.X is a public address and Y.Y.Y.Y is a private address.

Also, I've added an access-list line allowing port 25 to host X.X.X.X inbound.

The redirect is not working. I've even gone as far as testing on a web server, redirecting port 80 to 8080, but the traffic is sent to port 80 regardless of the static command.

Can somebody please tell me what I'm doing wrong? My understanding was that port redirects were possible with pix software 6.0 or later.

Thanks in advance,

Rick

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7
In response to 0rsnaric

‎06-09-2004 12:09 PM

No sweat. I almost always overlook the simplest things so when someone else is having a problem, I start simple and move up. Usually solves the issue faster.

As for your other question, yes, this is normal. Remember, that statics are bi-directional translations. So, when you added the port info to the static command for the SMTP server, the PIX now only knows to translate packets sourced from TCP/2525 (I think this is how you had it). When your mail server tries to send outbound mail, the source port is going to be an ephemeral port (ie not 2525 most likely). So, I usually have people do something like this:

static (inside,outside) tcp 1.1.1.1 25 10.1.1.1 2525 netmask 255.255.255.255

nat (inside) 2 10.1.1.1 255.255.255.255

global (outside) 2 1.1.1.1

This takes care of everything in both directions from the 10.1.1.1 host (as an example).

Hope this helps explain matters. Good luck.

Scott

View solution in original post

0 Helpful
4 Replies 4

Go to solution
scoclayton
Level 7
Level 7

‎06-09-2004 10:46 AM

Rick,

Config looks good based on what you have above. Have you issued a 'cl x' after adding the new static above? If not, you will need to in order to clear the former translation. Just a thought...

Scott

0 Helpful

Go to solution
0rsnaric
Level 1
Level 1
In response to scoclayton

‎06-09-2004 11:30 AM

Scott, you hit the nail on the head, inbound started working after I remembered to do a clear xlate. After working with Cisco's PIX line for 5 years you would think I'd remember to issue a clear xlate command whenever chaning configurations. Guess I need to have it tatooed to my forehead.

By the way, I also had to reconfigure global and nat commands for outbound traffic to work. Essentially setting the public address of the smtp server up as a PAT address and then NATing it to the private address. Is that normal? Without it I was getting syslog messages stating that there was no translation found for the private address when it tried to send email outbound.

Thanks again!

Rick

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to 0rsnaric

‎06-09-2004 12:09 PM

No sweat. I almost always overlook the simplest things so when someone else is having a problem, I start simple and move up. Usually solves the issue faster.

As for your other question, yes, this is normal. Remember, that statics are bi-directional translations. So, when you added the port info to the static command for the SMTP server, the PIX now only knows to translate packets sourced from TCP/2525 (I think this is how you had it). When your mail server tries to send outbound mail, the source port is going to be an ephemeral port (ie not 2525 most likely). So, I usually have people do something like this:

static (inside,outside) tcp 1.1.1.1 25 10.1.1.1 2525 netmask 255.255.255.255

nat (inside) 2 10.1.1.1 255.255.255.255

global (outside) 2 1.1.1.1

This takes care of everything in both directions from the 10.1.1.1 host (as an example).

Hope this helps explain matters. Good luck.

Scott

0 Helpful

Go to solution
t.dion
Level 1
Level 1

‎06-10-2004 11:04 PM

Hello Rick

try this

HTTP

You can use the fixup command to change the default port assignment for the Hypertext Transfer Protocol (HTTP). The command syntax is as follows.

fixup protocol http [port[- port]

Use the port option to change the default port assignments from 80. Use the -port option to apply HTTP application inspection to a range of port numbers.

--------------------------------------------------------------------------------

Note The no fixup protocol http command statement also disables the filter url command.

--------------------------------------------------------------------------------

HTTP inspection performs several functions:

•URL logging of GET messages

•URL screening via N2H2 or Websense

•Java and ActiveX filtering

The latter two features are described in "Filtering Outbound Connections" in "Controlling Network Access and Use"

reference:http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1101977

kind regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card