port forwarding pix

Unanswered Question
Mar 5th, 2007

Hello,

I have problem forwarding port 25 from my outside interface to port 25 on my DMZ interface.

Here is my configuration :

Hello,

I have problem forwarding port 25 from my outside interface to port 25 on my DMZ interface.

Here is my configuration :

Hello,

I have problem forwarding port 25 from my outside interface to port 25 on my DMZ interface.

Here is my configuration :

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security10

enable password xxx

hostname pix-rgi

access-list acl-outside permit tcp any host 12.34.56.78 eq smtp

access-list acl-outside permit tcp host 82.67.xx.xx host 12.34.56.78 eq 65437

access-list acl-outside permit tcp host 82.67.xx.xx host 12.34.56.78 eq 65439

access-list acl-outside permit tcp any host 12.34.56.78 eq www

access-list acl-outside permit tcp any host 12.34.56.78 eq https

access-list acl-outside permit tcp any host 12.34.56.78 eq 65435

access-list acl-outside permit ip host 82.67.xx.xx any

access-list acl-dmz permit tcp host 192.168.30.25 host 192.168.10.54

access-list acl-dmz permit tcp host 192.168.30.252 host 192.168.10.52 eq domain

access-list acl-dmz permit tcp host 192.168.30.252 host 192.168.2.10 eq domain

access-list acl-dmz permit ip host 192.168.30.25 host 192.168.10.52

access-list acl-dmz permit tcp host 192.168.30.252 any

access-list acl-dmz deny tcp 192.168.30.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list acl-dmz permit ip 192.168.30.0 255.255.255.0 any

access-list cap permit tcp any host 12.34.56.78 eq smtp

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

ip address outside 12.34.56.78 255.255.255.252

ip address inside 192.168.10.253 255.255.255.0

ip address DMZ 192.168.30.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip audit name information_outside info action alarm

ip audit name attaque_outside attack action alarm drop reset

ip audit interface outside information_outside

ip audit interface outside attaque_outside

ip audit info action alarm

ip audit attack action alarm

ip local pool seb 192.168.200.10-192.168.200.12

global (outside) 1 12.34.56.73-12.34.56.74 netmask 255.255.255.0

global (outside) 1 12.34.56.75

nat (inside) 1 192.168.2.10 255.255.255.255 0 0

nat (inside) 1 192.168.3.32 255.255.255.255 0 0

nat (inside) 1 192.168.3.210 255.255.255.255 0 0

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

nat (inside) 1 Administratif 255.255.255.0 0 0

nat (DMZ) 1 192.168.30.25 255.255.255.255 0 0

nat (DMZ) 1 192.168.30.252 255.255.255.255 0 0

static (inside,outside) tcp interface 65435 192.168.10.250 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 65439 192.168.10.54 ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.10.250 www netmask 255.255.255.255 0 0

static (DMZ,outside) tcp 12.34.56.78 smtp 192.168.30.25 smtp netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

access-group acl-outside in interface outside

access-group acl-dmz in interface DMZ

route outside 0.0.0.0 0.0.0.0 12.34.56.78 1

route inside 192.168.2.0 255.255.255.0 192.168.10.1 1

route inside 192.168.3.0 255.255.255.0 192.168.10.1 1

route inside 192.168.4.0 255.255.255.0 192.168.10.1 1

route inside 192.168.5.0 255.255.255.0 192.168.10.1 1

route inside 192.168.6.0 255.255.255.0 192.168.10.1 1

route inside 192.168.7.0 255.255.255.0 192.168.10.1 1

route inside 192.168.8.0 255.255.255.0 192.168.10.1 1

route inside Administratif 255.255.255.0 192.168.10.1 1

route inside 192.168.12.0 255.255.255.0 192.168.10.1 1

route DMZ 192.168.30.2 255.255.255.255 192.168.30.1 1

I can't find what's wrong with the access-list / static /nat rules.

Please help

Thank You

ASCLAR Sebastien

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Mon, 03/05/2007 - 02:52

Hi,

Try this :

no static (DMZ,outside) tcp 12.34.56.78 smtp 192.168.30.25 smtp netmask 255.255.255.255

static (DMZ,outside) tcp interface smtp 192.168.30.25 smtp netmask 255.255.255.255

*Please rate if helped.

-Kanishka

Kamal Malhotra Mon, 03/05/2007 - 06:05

Hi,

Please also add the following commands :

access-list acl-outside permit tcp any interface outside

access-list acl-dmz line 1 permit ip host 192.18.30.25 any

HTH,

*Please rate if helps,

Regards,

Kamal

Kamal Malhotra Mon, 03/05/2007 - 06:05

Small correction :

The first command should be :

access-list acl-outside permit tcp any interface outside eq 25

Regards,

Kamal

notredame Mon, 03/05/2007 - 06:17

I added the 2 lines but it still does not work.

Thank you for help.

Actions

This Discussion