PIX 515e 6.3. Port redirect question

Unanswered Question
Sep 8th, 2008
User Badges:

This is what I currently have:


access-list incoming permit tcp any host 2.3.245.131 eq www

access-list incoming permit tcp any host 2.3.245.131 eq https


ip address outside 2.3.245.134 255.255.255.192


static (inside,outside) 2.3.245.131 192.168.1.10 netmask 255.255.255.255 0 0




But I want to redirect SMTP traffic to 192.168.1.6. I know the syntax for:


static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255


But if I were to use:


static (inside,outside) tcp interface smtp 192.168.1.6 smtp netmask 255.255.255.255



Wouldn't that be a problem? One that "interface" is referring to "2.3.245.134", NOT the .131 address I need the traffic to go to.




So how do I do this? How do I redirect SMTP traffic from an IP address that lies behind the "outside" interface to one LAN address, while redirecting HTTPS and WWW traffic to another LAN address?




Any help would be greatly appreciated!




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
satish_zanjurne Mon, 09/08/2008 - 22:26
User Badges:
  • Silver, 250 points or more


Hi,


1.PAT address can be a virtual address , different from outside address.

2.It should be reachable from internet/outside.

3.If you want use"interface" keyword in your static statements, you need to modify your incoming access-list to permit to 2.3.245.134 instead of 2.3.245.131

4.And the way you have redircted WWW & HTTPS traffic, you can redirect SMTP also same way..


HTH...rate if helpful..





Armegeden Tue, 09/09/2008 - 03:14
User Badges:

Hmm,


I do not think I am understanding.


2.3.245.131 is an IP address within our block. 2.3.245.134 happens to be the address we gave to the PIX. x.131 is the address we're using for Mail.


I need to keep x.134 the outside address, but I need to route traffic SMTP destined for x.131 to a different LAN address than WWW/HTTPS. But both SMTP+WWW/HTTPS will be going toward WAN address x.131.


Does this make sense?


I believe I have the access-list statements correct. It's the static mapping I'm having trouble with.


Basically I need this to happen:


static (inside,outside) tcp 2.3.245.131 www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside) tcp 2.3.245.131 https 192.168.1.10 https netmask 255.255.255.255

static (inside,outside) tcp 2.3.245.131 smtp 192.168.1.6 smtp netmask 255.255.255.255


But I keep getting an error...




satish_zanjurne Tue, 09/09/2008 - 05:52
User Badges:
  • Silver, 250 points or more


1.If you are using 2.3.245.131 as outside address for static, then access-list is correct


2.If you are using 2.3.245.1354 which is outside interface address, as you have mentioned, then access-list should contain 2.3.245.134


3.Your configuration is correct


4.What is the error you are getting ??


Also refer below mentioned document..


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10


HTH...arte if helpful..

Actions

This Discussion