Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Pix 515E Port Forward

I'm having some trouble with port forwarding on a 515E pix.

I have the following commands in the config

static (inside,outside) tcp 11.11.11.11 smtp 10.0.0.55 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 11.11.11.11 www 11.11.11.11 www netmask 255.255.255.255 0 0

The goal is to have smtp traffic go to 10.0.0.55 and http traffic to go to the 11.11.11.11 (a public ip). Problem is, none of the traffic is being port forwarded, it is going to the 11.11.11.11 address.

Any help is appreciated.

Dan Cox

3 REPLIES
Cisco Employee

Re: Pix 515E Port Forward

First of all,

you did not meention if you have an access list defined on outside interface to allow this traffic.

You need to have the following config. along with your existing config. for this to work :

access-l 101 permit tcp any host 11.11.11.11 eq smtp

access-l 101 permit tcp any host 11.11.11.11 eq www

access-l 101 in interface outside

##############

Also :

Is 11.11.11.11 outside interface ip address.

If that is true :

Use :

static (inside,outside) tcp interface smtp 10.0.0.55 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 11.11.11.11 www netmask 255.255.255.255 0 0

access-l 101 permit tcp any interface outside eq smtp

access-l 101 permit tcp any interface outside eq www

access-l 101 in interface outside

Do rate helpful posts.

Regards,

Sushil

New Member

Re: Pix 515E Port Forward

Sushi,

Thanks for the reply.

I do have an access list in place allowing the traffic and we have multiple "outside" IP's. I think the issue is with my nat/pat setup.

I should have mentioned that 1.1.1.34 is the servers address on the inside network (we don't nat everything). I originally wanted to forward all smtp traffic to 10.0.0.55, but let http traffic continue on to 1.1.1.34 (no nat). When I do show xlate | include 1.1.1.34 I get

Global 1.1.1.34 Local 1.1.1.34

When I clear xlate I get the same thing.

I'm expecting to see

Global 1.1.1.34(25) Local 10.0.0.55(25)

Global 1.1.1.34(80) Local 1.1.1.34(80)

And if I clear xlate enough I sometimes see this, but then it stops and goes back to Global 1.1.1.34 Local 1.1.1.34.

For testing purposes I changed static to

static (inside,outside) tcp 1.1.1.34 smtp 10.0.0.55 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.1.1.34 www 10.0.0.34 www netmask 255.255.255.255 0 0

But I still get Global 1.1.1.34 Local 1.1.1.34

I don't have 1.1.1.34 in global or nat so I'm not sure why it's being globally translated to itself.

Thanks for the help.

Dan

Cisco Employee

Re: Pix 515E Port Forward

Please post,

sh run nat

sh run glo

sh run nat-control

sh run stat

If you are running 6.x-->

sh nat

sh glo

sh static

Regards,

Sushil

303
Views
0
Helpful
3
Replies
CreatePlease to create content