Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
5
Helpful
5
Replies

Static translation with Port redirction - (Still facing issues)

kev_jacob
Level 1
Level 1

‎12-22-2005 05:15 AM - edited ‎03-09-2019 01:26 PM

Hi,

Please find previous conversations mentioned right below. My current situation is as follows:

Actually when I really tried this out today it didn't work!

For example:

This is the current config:

static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)

static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)

Requirement is to pass x.x.x.2 also thru ISA(i.e a.a.a.1)

I did the following:

static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80

static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080

static (intf3,intf2) tcp x.x.x.2 25 a.a.a.1 25

static (intf3,intf2) tcp x.x.x.2 110 a.a.a.1 110

static (intf3,intf2) tcp x.x.x.2 443 a.a.a.1 443

access-list acl_intf2 permit tcp any host x.x.x.1 eq 80

access-list acl_intf2 permit tcp any host x.x.x.1 eq 8080

access-list acl_intf2 permit tcp any host x.x.x.2 eq 25

access-list acl_intf2 permit tcp any host x.x.x.2 eq 110

access-list acl_intf2 permit tcp any host x.x.x.2 eq 443

access-group acl_intf2 in interface intf2

Finally I did Clear Xlate

My Internet & mails stopped working. When I reverted it back it was Okay.

I continued the test by doing only the following:

static (intf3,intf2) tcp x.x.x.1 80 a.a.a.1 80

static (intf3,intf2) tcp x.x.x.1 8080 a.a.a.1 8080

static (inside, intf2) tcp x.x.x.2 b.b.b.1 (To Exchange)

Now mails were working but Internet was still not working.

I tried Vice versa like the following:

static (intf3,intf2) tcp x.x.x.1 a.a.a.1 (To ISA)

static (intf3,intf2) tcp x.x.x.2 25 b.b.b.1 25

static (intf3,intf2) tcp x.x.x.2 110 b.b.b.1 110

static (intf3,intf2) tcp x.x.x.2 443 b.b.b.1 443

Now, Internet was fine but Mails were not working.

Any solution

a.a.a.1=ISA server

b.b.b.1=Front end exchange

x.x.x.1= ISA virtual ip

x.x.x.2= Exchange Virtual ip

All requests to x.x.x.1 & x.x.x.2 are from an MPLS cloud. An ISA server & Exchange server at the MPLS server location forward all http & smtp traffic to x.x.x.1 & x.x.x.2

Thanks Kevin

PREVIOUS CONVERSATIONS

======================

Posted by: kev_jacob - Dec 6, 2005, 8:47pm PST

Hi,

I have a scenario in which two public ip's (One with HTTP requests & other with SMTP/SSL request for OWA) need to be translated onto a single inside ISA server ip in the DMZ. Please suggest which is the best practice. I know that we cannot do a one-one NAT because two ip's cannot translate into one. Is using the static translation with Port redirection the best practice to access the ISA server for OWA? Is it the best security that can be applied at this moment? I will redirect only requests for port 80,8080,25,443,110. I will also create access-list to permit only these ports.

I need to recommend this to a customer. Please advice.

Thanks

Kevin

Replied by: gfullage - CISCO SYSTEMS, CCIE - Dec 6, 2005, 9:12pm PST

Port redirection is the best way to go here. As you're already aware you can't enter a static for two outside IP's pointing to one inside (or vice versa), but statically mapping just the ports will be fine. Similarly just allow those ports in on your inbound ACL and you'll be good to go.

You'll want something like the following:

static (inside,outside) tcp x.x.x.1 80 a.a.a.1 80

static (inside,outside) tcp x.x.x.1 8080 a.a.a.1 8080

static (inside,outside) tcp x.x.x.2 25 a.a.a.1 25

static (inside,outside) tcp x.x.x.2 110 a.a.a.1 110

static (inside,outside) tcp x.x.x.2 443 a.a.a.1 443

access-list inbound permit tcp any host x.x.x.1 eq 80

access-list inbound permit tcp any host x.x.x.1 eq 8080

access-list inbound permit tcp any host x.x.x.2 eq 25

access-list inbound permit tcp any host x.x.x.2 eq 110

access-list inbound permit tcp any host x.x.x.2 eq 443

access-group inbound in interface outside

where x.x.x.[1|2] is your public IP's, and a.a.a.1 is your inside server.

Labels:
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎12-22-2005 04:14 PM

please provide a simply network diagram.

0 Helpful

kev_jacob
Level 1
Level 1
In response to jackko

‎12-23-2005 05:57 AM

Hi,

I have attached a simple diagram

Thanks

Kevin

Preview file
39 KB
0 Helpful

kev_jacob
Level 1
Level 1
In response to jackko

‎12-26-2005 03:38 AM

Any solution?

0 Helpful

prasadrp
Level 1
Level 1
In response to kev_jacob

‎12-27-2005 01:51 AM

Hi Kevin

I have gone through your post and the solution which has been mentioned in fine for the scenario, when people are accessing from outside.

But when you mentioned Internet and Mail is not working, are we talking about access from host a.a.a.1 to outside (MPLS) when sending mails or accesding Internet. The host a.a.a.1 will not be able to send mails or access internet since there is no translation-group for this host.

For ex. when a.a.a.1 is trying to send HTTP, it will go from Src. IP a.a.a.1 Src Port (XXXX any random port) to outside IP (Port 80), but there wont be any translation group to handle this. If this is the problem and to verify this, run debug and see if you get "no translation group found" message,in that case you need to handle outgoing traffic from this host through nat

kev_jacob
Level 1
Level 1
In response to prasadrp

‎12-27-2005 08:43 PM

Hi Prasad (My Trainer)

Good to see you on Net forum.

Anyway I haven't checked for "no translation group found" yet because the network is live and the customer may not give me the down time to try the same test again atleast till the end of the week.

However, I have understood that a static translation applies both ways (i.e outside to inside & vice versa). Do we still need to add another separate NAT command to make this work? The PIX version is 6.3(1). Could that be a problem?

a.a.a.1 is a Proxy server and all Internet traffic goes out thru port 8080 to outside port 80.

so, I tried this translation too

static(intf3, intf2) tcp x.x.x.1 80 a.a.a.1 8080

There was no difference. It still was not working.

Are you saying that I need to try something like this,

nat(intf3) 10 a.a.a.1

global(intf2) 10 x.x.x.1

But, current translation is

static(intf3,intf2) x.x.x.1 a.a.a.1 and everything is working fine.

I just wanted to use Port Redirection so that I can use the same IP to translate the SMTP also. Right now SMTP is using another IP x.x.x.2(Out) & b.b.b.1(in).

For a quick solution I have decided to ask the other body to forward all SMTP traffic also to x.x.x.1 instead of x.x.x.2. In this case there would not be any problem because I just need one One-One NAT translation for both HTTP & SMTP.

I would be happy if I could still implement it using Port redirection from our end without getting the other body invloved.

Anything else that you would like to advise Prasad.

Thanks & regards

Kevin

0 Helpful
Customers Also Viewed These Support Documents