06-27-2007 11:50 AM - edited 03-11-2019 03:36 AM
I've a PIX-515 firewall, running 7.2.2, in front of a private network. Servers in the private network are statically mapped to the external interface like this:
static (inside,outside) tcp host-outside www host-inside 8080 netmask 255.255.255.255
The problem is, now ICMP is not translated anymore. If I try to ping host-outside from the Internet, the firewall says "Deny inbound icmp src outside" even though ICMP is allowed by the ACL to all destinations on the outside interface.
I tried to add something like this:
static (inside,outside) host-outside host-inside netmask .......
But then the firewall tells me there's a conflict between this more general mapping, and the existing more specific mapping.
How can I keep the TCP 80 -> 8080 mapping but also translate inbound ICMP requests?
06-27-2007 12:04 PM
You would have to remove all port translations and add a 1 to 1 static. That may or may not work for you as you may have other inside servers using this outside address.
no static (inside,outside) tcp host-outside www host-inside 8080 netmask 255.255.255.255
static (inside,outside) host-outside host-inside netmask .......
06-27-2007 01:19 PM
That won't work, because port 8080 on the actual server needs to be translated as port 80 on the external address.
There are multiple servers in that environment, all of them accessible from the outside over port 80, which is translated by the firewall as port 8080 on the actual machines.
Each server has its own public address on the outside.
06-27-2007 02:16 PM
Which is why I said "That may or may not work for you as you may have other inside servers using this outside address."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide