04-20-2007 11:27 PM - edited 03-03-2019 04:39 PM
I have a PIX 515-E firewall which is giving me problem.
Inside our private network, we have a local host - behind my inside interface, called it HOST-A, IP 192.168.1.2.
From Internet, we have assigned 2 Public IP, both pointing to (NAT to) HOST-A, serving 2 different purpose
- One public IP : 202.1.1.3 to serve HTTP traffic
- Another public IP : 202.1.1.4 to serve POP-3 traffic.
I had used dynamic IP pool so that both Public IP is NAT to the same private - 192.168.1.2, at my outside interface.
However, I found that I need to create another NAT at my inside interface, ie 192.168.1.2 NAT to 202.1.1.3.
However, I also found that I cannot create another NAT rules for 192.168.1.2 to NAT to 202.1.1.4.
As such, our POP-3 traffic become not accessible.
Is it a limitation in PIX firewall ???
My PIX detail:
sh version
Cisco PIX Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Config detail:
name 202.1.1.3 IP-HTTP
name 202.1.1.4 IP-POP
name 192.168.1.2 HOST-A
access-list outside_access_in extended permit tcp any host IP-HTTP object-group WEB-SERVICES
access-list outside_access_in extended permit tcp any host IP-POP object-group TCP-POP3-IMAP
global (inside) 1 HOST-A netmask 255.255.255.255
nat (outside) 1 IP-HTTP 255.255.255.255 outside
nat (outside) 1 IP-POP 255.255.255.255 outside
static (inside,outside) IP-HTTP HOST-A netmask 255.255.255.255
04-20-2007 11:53 PM
Hi
I think u dnot need to nat statements as u r doing for the same IP.and u need to create a statement in access list not a seprate access-list.
try this config .
static(inside,outside) (global ip) (private ip) netamsk 255.255.255.255
access-list outside_in permit tcp any host (gobal ip) eq 80
access-list outside_in permit tcp any host (global ip) eq pop(u r pop3 port number.
and u need to apply it inbound to u r outside interface.
See if it works.
Thanks
Mahmood
04-22-2007 08:20 PM
Manage to solve the problem with following configuration:
global (outside) 1 202.1.1.3
static (inside,outside) tcp 202.1.1.3 www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp 202.1.1.4 pop3 192.168.1.2 pop3 netmask 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide