Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
4
Replies

I’d like to redirect one port and leave the rest of them intact.

stownsend
Level 2
Level 2

‎02-20-2003 03:08 PM - edited ‎03-09-2019 02:11 AM

I’d like to redirect one port and leave the rest of them intact. I have the following config, though it does not seem to be working correctly.

access-list acl_outside permit tcp any host Server-exch_o eq 1234

static (inside,outside) tcp Server-exch_o 1234 Server-exch_i www netmask 255.255.255.255 0 0

static (inside,outside) Server-exch_o Server-exch_i netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

Is this not possible?

Thanks,

Scott<-

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎02-20-2003 09:05 PM

Should be OK. Your ACL is only allowing TCP port 1234 in from the outside, nothing else. You might want to change your ACL to allow all ports in (if that's what you're trying to do).

Other than that, if you can elaborate on "it does not seem to be working correctly" then that would help us to help you.

0 Helpful

stownsend
Level 2
Level 2
In response to gfullage

‎02-21-2003 07:39 AM

I do have other entries in the ACL

access-list acl_outside permit tcp host 11.22.33.44 host Server-exch_o

Its anothe mail server that we are migrating to the server on the inside. So it has full access to the internal server. That communication seems to be working just fine.

When I'm on a machine on the outside of the firewall and I try to access http://Server-exch_o:1234 It times out with no response. So it seems like the command:

static (inside,outside) Server-exch_o Server-exch_i netmask 255.255.255.255 0 0

Is overriding the command:

static (inside,outside) tcp Server-exch_o 1234 Server-exch_i www netmask 255.255.255.255 0 0

I know the web server works because If I'm on the inside and connect to http://Server-exch_i:80 the site comes up just fine.

Hmmm...

Thanks for your help. I appreciate it!

Scott<-

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to stownsend

‎02-22-2003 10:05 PM

Statics are read from top down and are matched on a first-match basis, not best match. If you have:

static (inside,outside) Server-exch_o Server-exch_i netmask 255.255.255.255 0 0

static (inside,outside) tcp Server-exch_o 1234 Server-exch_i www netmask 255.255.255.255 0 0

in that order in your config, then the first static will ALWAYS be matched and the second static will basically never be used. Clear these out then add the port static in first, then the whole static, that'll put the more specific one first in the config and you sohlud be fine after that.

0 Helpful

stownsend
Level 2
Level 2
In response to gfullage

‎02-23-2003 12:05 PM

I do have the port redirect first then the whole statis. )-;

I'm pretty sure I've cleared the xlate too.

Is there something I can debug to see the packets that are coming in?

Thanks,

Scott<-

0 Helpful
Customers Also Viewed These Support Documents