Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
4
Replies

Port translation question

chrisgray1
Level 1
Level 1

‎03-15-2010 04:28 PM - edited ‎03-11-2019 10:22 AM

Hi,

I'm trying to set PAT for an SMTP server which I'm told only can only run on the standard port 25 on the server, however as this is blocked by many ISPs, I've been asked to set up a translation on the firewall (PIX 525 running software v 8.04) for traffic coming in towards the server on port 225 to 25 which is fine and I'm able to do this however it also needs to accept connections on 25 still also which is where I'm running into problems.

A static translation such as the following stops port 25 being reachable directly because the pix is translating the source port to 225 for return traffic, so although it is reachable on port 225 its not reachable on 25 because of this command.

static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 smtp netmask 255.255.255.255

Any advise on how to PAT but also not PAT would be appreciated.

thanks

Chris

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-15-2010 06:12 PM

Hi,

As you mentioned this is not going to work, because when the PIX receives the reply back
from port 25 it knows it should send it out using port 225.


If you add another statement for example:

static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask 255.255.255.255

Then, the PIX will not know when returning the traffic from port 25 to which port to send it.
Port 225 or port 25?

The alternatives are not to use PAT, but use a regular static NAT (if posssible):

static (inside,outside) 217.*.1.43 217.*.1.43 netmask 255.255.255.255

Or make the server listen itself on port 225 as well, so you can have on the PIX:

static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 225 netmask 255.255.255.255
static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask 255.255.255.255

Federico.

0 Helpful

chrisgray1
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-16-2010 12:55 AM

Hi,

Ok, so there is no real way of doing this then on the firewall? with the

real and another port on the outside mapped to the real port on the inside.

thanks

Chris

On Tue, Mar 16, 2010 at 1:13 AM, coto.fusionet <

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee

‎03-15-2010 10:22 PM

Hello,

If you want to allow both ports 225 and 25 to be open at the same time for the server, the best way is to use simple static translation rule:

static(in,out)   netmask 255.255.255.255

And now if you wish to restrict access to server only on the above mentioned ports, you can make use of extended ACLs with port numbers (25 and 225)

HTH

Vijaya

0 Helpful

chrisgray1
Level 1
Level 1
In response to vilaxmi

‎03-16-2010 12:31 AM

Hi,

Thanks but the server only has smtp running on port 25, but I was

trying to allow connections on 25 to get through untranslated, while

connections coming in to port 225 to be translated to port 25 at the

same time.

Regards

Chris Gray

On 16 Mar 2010, at 05:22, vijayalaxmi1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card