PIX 515e 6.3. Port redirect question

Armegeden · ‎09-08-2008

This is what I currently have:

access-list incoming permit tcp any host 2.3.245.131 eq www

access-list incoming permit tcp any host 2.3.245.131 eq https

ip address outside 2.3.245.134 255.255.255.192

static (inside,outside) 2.3.245.131 192.168.1.10 netmask 255.255.255.255 0 0

But I want to redirect SMTP traffic to 192.168.1.6. I know the syntax for:

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255

But if I were to use:

static (inside,outside) tcp interface smtp 192.168.1.6 smtp netmask 255.255.255.255

Wouldn't that be a problem? One that "interface" is referring to "2.3.245.134", NOT the .131 address I need the traffic to go to.

So how do I do this? How do I redirect SMTP traffic from an IP address that lies behind the "outside" interface to one LAN address, while redirecting HTTPS and WWW traffic to another LAN address?

Any help would be greatly appreciated!

satish_zanjurne · ‎09-08-2008

Hi,

1.PAT address can be a virtual address , different from outside address.

2.It should be reachable from internet/outside.

3.If you want use"interface" keyword in your static statements, you need to modify your incoming access-list to permit to 2.3.245.134 instead of 2.3.245.131

4.And the way you have redircted WWW & HTTPS traffic, you can redirect SMTP also same way..

HTH...rate if helpful..

Armegeden · ‎09-09-2008

Hmm,

I do not think I am understanding.

2.3.245.131 is an IP address within our block. 2.3.245.134 happens to be the address we gave to the PIX. x.131 is the address we're using for Mail.

I need to keep x.134 the outside address, but I need to route traffic SMTP destined for x.131 to a different LAN address than WWW/HTTPS. But both SMTP+WWW/HTTPS will be going toward WAN address x.131.

Does this make sense?

I believe I have the access-list statements correct. It's the static mapping I'm having trouble with.

Basically I need this to happen:

static (inside,outside) tcp 2.3.245.131 www 192.168.1.10 www netmask 255.255.255.255

static (inside,outside) tcp 2.3.245.131 https 192.168.1.10 https netmask 255.255.255.255

static (inside,outside) tcp 2.3.245.131 smtp 192.168.1.6 smtp netmask 255.255.255.255

But I keep getting an error...

satish_zanjurne · ‎09-09-2008

1.If you are using 2.3.245.131 as outside address for static, then access-list is correct

2.If you are using 2.3.245.1354 which is outside interface address, as you have mentioned, then access-list should contain 2.3.245.134

3.Your configuration is correct

4.What is the error you are getting ??

Also refer below mentioned document..

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10

HTH...arte if helpful..

lreger · ‎09-09-2008

Try this

static (inside,outside) tcp 2.3.245.131 www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 2.3.245.131 https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 2.3.245.131 smtp 192.168.1.6 smtp netmask 255.255.255.255 0 0