Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port forwarding from IPCop to Cisco PIX Firewall

Hi All,

I am attempting to forward port 80 and port 25 from an IPCop FW connected to Internet via the ADSL router port and my Cisco FW connected in the protected area (Green Zone) of my LAN. A similar diagram of my network is depicted in the Cisco link https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml. The only differences are the TCP-IP addresses and the Outside Cloud which is Internet in my case.

I would greatly appreciate an hint or a clue which helps me to fix this issue I have.

Data which may better help you to understand the environment, if you can assist.

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)  -------> works well if directly connected to the ADSL Router and to Internet. Everything works. Good configuration available in the attachement.

IPCop 1.4.2  ------> works well if directly connected to the ADSL Router and to Internet. I can HTTP from Internet to an a Web Server directly connected to its internat Interface. I.e. 172.16.0.8.

  • Cisco PIX FW alllows all services from the internal network to reach Internet, via the IPCop Green (Internal interface);
  • Traffic like Facebook, Skype, etc. is allowed from/to Internet to my protected zone and vice-versa;
  • Cisco internal network is 194.20.23.X is privately assigned to an other company and used by chance but without problems for years;
  • Cisco external network I/F is 172.16.0.2. It connects to the internal IPCop interface 172.16.0.1 (Green);
  • IPCop external network I/F is 82.70.219.163, which connects to my ADSL Router GW 82.70.219.166.

What exactly doesn't work:

My SMTP, DNS and MAIL server public address is 82.70.219.162. If you ping to this address it responds. However, if you try to telnet to port 25, it doesn't respond. So, I am almost sure there is a rule which prevents the port forwarding to my server 194.20.23.180, which Cisco NAT translates to 82.70.219.162.

Attached:

A working configuration when Cisco is directly connected to Internet;

A non working configuration when Cisco is not directly connected to Internet.  (File Cisco_Config_3001.txt)

Thanks.

Regards

Salvo

Everyone's tags (4)
1 REPLY
Cisco Employee

Re: Port forwarding from IPCop to Cisco PIX Firewall

Hi,

I believe this is the set up which is not working:

194.20.23.180(server)-->(194.20.23.181)PIX(172.16.0.2)-->(172.16.0.1)IP Cop(82.70.219.163)-->(82.70.219.166) ADSL router-->Internet

Following is relevant configuration on PIX:

name 194.20.23.180 linux

name 82.70.219.162 mailgate

ip address outside 172.16.0.2 255.255.255.0

ip address inside 194.20.23.181 255.255.255.0

access-list outside permit tcp any host mailgate eq smtp log

access-list outside permit tcp any host mailgate eq www log

static (inside,outside) tcp mailgate www linux www netmask 255.255.255.255 0 0

static (inside,outside) tcp mailgate smtp linux smtp netmask 255.255.255.255 0 0

route outside mailgate 255.255.255.255 172.16.0.1 1

route inside linux 255.255.255.255 194.20.23.181 1

route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

Since we have a static nat translation for linux with mailgate on PIX, i believe IP Cop is not doing the translation for mailgate IP but since 82.70.219.x subnet is directly connected to IP Cop it will never forward the traffic for 82.70.219.162 to PIX as directly connected network takes precedence over static routes.

Here is an option to get this working with this setup:

Translation on IP Cop:

82.70.219.162-->172.16.0.10(any free IP of this range)

On PIX translation:

172.16.0.10-->194.20.23.180

i.e.

static (inside,outside) tcp 172.16.0.10 smtp 194.20.23.180 smtp netmask 255.255.255.255

static (inside,outside) tcp 172.16.0.10 http 194.20.23.180 http netmask 255.255.255.255

access-list outside permit tcp any host 172.16.0.10 eq smtp log

access-list outside permit tcp any host 172.16.0.10 eq www log

I hope this helps.

Warm Regards,

Sourav Kakkar

sokakkar@cisco.com

2190
Views
0
Helpful
1
Replies
CreatePlease to create content