Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Port translation question

Hi,

I'm trying to set PAT for an SMTP server which I'm told only can only run on the standard port 25 on the server, however as this is blocked by many ISPs, I've been asked to set up a translation on the firewall (PIX 525 running software v 8.04) for traffic coming in towards the server on port 225 to 25 which is fine and I'm able to do this however it also needs to accept connections on 25 still also which is where I'm running into problems.

A static translation such as the following stops port 25 being reachable directly because the pix is translating the source port to 225 for return traffic, so although it is reachable on port 225 its not reachable on 25 because of this command.

static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 smtp netmask 255.255.255.255

Any advise on how to PAT but also not PAT would be appreciated.

thanks

Chris

4 REPLIES

Re: Port translation question

Hi,

As you mentioned this is not going to work, because when the PIX receives the reply back
from port 25 it knows it should send it out using port 225.


If you add another statement for example:

static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask 255.255.255.255

Then, the PIX will not know when returning the traffic from port 25 to which port to send it.
Port 225 or port 25?

The alternatives are not to use PAT, but use a regular static NAT (if posssible):

static (inside,outside) 217.*.1.43 217.*.1.43 netmask 255.255.255.255

Or make the server listen itself on port 225 as well, so you can have on the PIX:

static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 225 netmask 255.255.255.255
static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask 255.255.255.255

Federico.

New Member

Re: Port translation question

Hi,

Ok, so there is no real way of doing this then on the firewall? with the

real and another port on the outside mapped to the real port on the inside.

thanks

Chris

On Tue, Mar 16, 2010 at 1:13 AM, coto.fusionet <

Cisco Employee

Re: Port translation question

Hello,

If you want to allow both ports 225 and 25 to be open at the same time for the server, the best way is to use simple static translation rule:

static(in,out)   netmask 255.255.255.255

And now if you wish to restrict access to server only on the above mentioned ports, you can make use of extended ACLs with port numbers (25 and 225)

HTH

Vijaya

New Member

Re: Port translation question

Hi,

Thanks but the server only has smtp running on port 25, but I was

trying to allow connections on 25 to get through untranslated, while

connections coming in to port 225 to be translated to port 25 at the

same time.

Regards

Chris Gray

On 16 Mar 2010, at 05:22, vijayalaxmi1

172
Views
0
Helpful
4
Replies
CreatePlease to create content