Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

5525-x making port forwarding

Hi,

I've made object nat in the 5525-x firewall and give permission to these ports in the ACL. But we cannot access to these ports from outside? Are there any changes in these new firewall series?

Thanks.

object network xx_Exch_Rdp
  nat (Inside,Outside) static interface service tcp 3389 3389
object network xx_Exch_Send
  nat (Inside,Outside) static interface service tcp pop3 pop3
object network xx_Exch_Mapi
  nat (Inside,Outside) static interface service tcp imap4 imap4
object network xx_Exch_Pop3
  nat (Inside,Outside) static interface service tcp 587 587
object network xx_Exch_Smtp
  nat (Inside,Outside) static y.y.y.z service tcp smtp smtp

  • Firewalling
Everyone's tags (4)
8 REPLIES
VIP Purple

Re: 5525-x making port forwarding

The NAT looks fine. What about the ACL? Remember that you have to use the real-address in the ACL and not the public/natted address.

So the ACL would be something like:

permit tcp any object xx_Exch_Rdp eq 3389

permit tcp any object xx_Exch_Send eq pop3

...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: 5525-x making port forwarding

I think also the ACL seems to me good... I'm using the real ip addresses. But you say to use the object  I'm using the host keyword here... Is that wrong?

access-list Outside_access_in extended permit tcp any host PUBLIC_IP object-group DM_INLINE_TCP_1

object-group service DM_INLINE_TCP_1 tcp

port-object eq 3389

port-object eq 587

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

VIP Purple

Re: 5525-x making port forwarding

The host-keyword is perfectly fine. But it seems that you use the public IP in your ACL and not the real address. You need to use the address that your Exchange-server has configured on the interface.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: 5525-x making port forwarding

Ok I then I will try with the real host ip address which is a private ip. But we were using the public ip address in the older firewalls like 5510 5520...

Thanks.

VIP Purple

5525-x making port forwarding

On the 5510/5520 you probably didn't use a version 8.3+. There it changed from public to real address.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: 5525-x making port forwarding

Thank you very much for the information. I will try these.

Regards.

New Member

5525-x making port forwarding

These nat translations are two way translations is it right? So if the server wants to go to internet it will go from the natted ip ?

VIP Purple

5525-x making port forwarding

Yes and no ... ;-)

They can be used from both sides which is what static translations are used for. But they are restricted to the tcp-ports 3389/imap/pop3 ... on the server side. And as it is unlikely that the server initiates a connection with source-port 110/143/... you need an additional entry for outgoing connections.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
499
Views
0
Helpful
8
Replies