02-20-2003 03:08 PM - edited 03-09-2019 02:11 AM
Id like to redirect one port and leave the rest of them intact. I have the following config, though it does not seem to be working correctly.
access-list acl_outside permit tcp any host Server-exch_o eq 1234
static (inside,outside) tcp Server-exch_o 1234 Server-exch_i www netmask 255.255.255.255 0 0
static (inside,outside) Server-exch_o Server-exch_i netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
Is this not possible?
Thanks,
Scott<-
02-20-2003 09:05 PM
Should be OK. Your ACL is only allowing TCP port 1234 in from the outside, nothing else. You might want to change your ACL to allow all ports in (if that's what you're trying to do).
Other than that, if you can elaborate on "it does not seem to be working correctly" then that would help us to help you.
02-21-2003 07:39 AM
I do have other entries in the ACL
access-list acl_outside permit tcp host 11.22.33.44 host Server-exch_o
Its anothe mail server that we are migrating to the server on the inside. So it has full access to the internal server. That communication seems to be working just fine.
When I'm on a machine on the outside of the firewall and I try to access http://Server-exch_o:1234 It times out with no response. So it seems like the command:
static (inside,outside) Server-exch_o Server-exch_i netmask 255.255.255.255 0 0
Is overriding the command:
static (inside,outside) tcp Server-exch_o 1234 Server-exch_i www netmask 255.255.255.255 0 0
I know the web server works because If I'm on the inside and connect to http://Server-exch_i:80 the site comes up just fine.
Hmmm...
Thanks for your help. I appreciate it!
Scott<-
02-22-2003 10:05 PM
Statics are read from top down and are matched on a first-match basis, not best match. If you have:
static (inside,outside) Server-exch_o Server-exch_i netmask 255.255.255.255 0 0
static (inside,outside) tcp Server-exch_o 1234 Server-exch_i www netmask 255.255.255.255 0 0
in that order in your config, then the first static will ALWAYS be matched and the second static will basically never be used. Clear these out then add the port static in first, then the whole static, that'll put the more specific one first in the config and you sohlud be fine after that.
02-23-2003 12:05 PM
I do have the port redirect first then the whole statis. )-;
I'm pretty sure I've cleared the xlate too.
Is there something I can debug to see the packets that are coming in?
Thanks,
Scott<-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide