Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
0
Helpful
4
Replies

Port redirection to another subnet

sblayney
Level 1
Level 1

‎09-05-2003 12:18 PM - edited ‎03-09-2019 04:41 AM

I am having a problem with incoming port redirection. I have allowed Lotus Notes traffic to a server which resides on a different subnet than the PIX, but I can't connect to it. I set up port redirection to another server that is on the same subnet as the PIX with no problems. Is there something that I need to do, other than setting up routes, to make it work?

Labels:
0 Helpful
4 Replies 4

bdube
Level 2
Level 2

‎09-05-2003 12:50 PM

Just check if you have a "route" statement who targets to this subnet.

Ben

0 Helpful

sblayney
Level 1
Level 1
In response to bdube

‎09-08-2003 07:27 AM

There is a route to this subnet. As I mentioned, there are 2 allowed inbound connections but only the one to the local subnet works. I'll include the relevant lines below:

ip address outside xxx.xxx.xxx.xxx 255.255.255.252

ip address inside 192.168.6.242 255.255.255.0

global (outside) 1 interface

access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq lotusnotes

access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq https

access-group acl_out in interface outside

static (inside,outside) tcp interface lotusnotes 192.168.4.158 lotusnotes netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.6.240 10000 netmask 255.255.255.255 0 0

route inside 192.168.4.0 255.255.255.0 192.168.6.150 2

0 Helpful

bdube
Level 2
Level 2
In response to sblayney

‎09-08-2003 06:09 PM

Scott,

I don't think the problem is about the route but just to be sure, you can try:

- route inside 192.168.4.0 255.255.255.0 192.168.6.150 1

or

- route inside 192.168.4.0 255.255.255.0 192.168.6.242 1

The second route statement will force the PIX to send an ARP0 locally to find the destination on the first inside subnet. The router, if it's a Cisco one, should respond to this ARP (Proxy ARP feature), then the PIX will send packets to the right place.

If those variants of route don't work, you will have to enter in logging mode, debug level, to see what's happen.

Hope this help!

Ben

Quebec

0 Helpful

sblayney
Level 1
Level 1
In response to bdube

‎09-16-2003 07:58 AM

I tried both of these options with no success. When I tried looking at the debugging information there is nothing showing up except traffic from the 192.168.6.0 network.

Something else that has emerged is that no other network except the one the PIX is on (inside) can directly access the internet. They can ping the PIX and access PDM, but not the internet. On the 192.168.6.0 network I can use WS_FTP with the firewall option configured to access external sites, but not from any other subnet.

One thing to note is that the PIX is not our default gateway. We use a proxy (Squid) to access the internet. Because the proxy was placed on the 192.168.6.0 network, I had't noticed the problem.

0 Helpful
Customers Also Viewed These Support Documents