Port translation question

Unanswered Question
Mar 15th, 2010
User Badges:

Hi,


I'm trying to set PAT for an SMTP server which I'm told only can only run on the standard port 25 on the server, however as this is blocked by many ISPs, I've been asked to set up a translation on the firewall (PIX 525 running software v 8.04) for traffic coming in towards the server on port 225 to 25 which is fine and I'm able to do this however it also needs to accept connections on 25 still also which is where I'm running into problems.


A static translation such as the following stops port 25 being reachable directly because the pix is translating the source port to 225 for return traffic, so although it is reachable on port 225 its not reachable on 25 because of this command.


static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 smtp netmask 255.255.255.255



Any advise on how to PAT but also not PAT would be appreciated.


thanks

Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 03/15/2010 - 18:12
User Badges:
  • Green, 3000 points or more

Hi,


As you mentioned this is not going to work, because when the PIX receives the reply back
from port 25 it knows it should send it out using port 225.


If you add another statement for example:

static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask 255.255.255.255

Then, the PIX will not know when returning the traffic from port 25 to which port to send it.
Port 225 or port 25?


The alternatives are not to use PAT, but use a regular static NAT (if posssible):

static (inside,outside) 217.*.1.43 217.*.1.43 netmask 255.255.255.255


Or make the server listen itself on port 225 as well, so you can have on the PIX:

static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 225 netmask 255.255.255.255
static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask 255.255.255.255


Federico.

chrisgray1 Tue, 03/16/2010 - 00:55
User Badges:

Hi,


Ok, so there is no real way of doing this then on the firewall? with the

real and another port on the outside mapped to the real port on the inside.


thanks

Chris


On Tue, Mar 16, 2010 at 1:13 AM, coto.fusionet <

vilaxmi Mon, 03/15/2010 - 22:22
User Badges:
  • Cisco Employee,

Hello,


If you want to allow both ports 225 and 25 to be open at the same time for the server, the best way is to use simple static translation rule:


static(in,out)   netmask 255.255.255.255


And now if you wish to restrict access to server only on the above mentioned ports, you can make use of extended ACLs with port numbers (25 and 225)


HTH


Vijaya

chrisgray1 Tue, 03/16/2010 - 00:31
User Badges:

Hi,


Thanks but the server only has smtp running on port 25, but I was

trying to allow connections on 25 to get through untranslated, while

connections coming in to port 225 to be translated to port 25 at the

same time.


Regards


Chris Gray


On 16 Mar 2010, at 05:22, vijayalaxmi1

Actions

This Discussion