PIX 501 Multiple Outside Ports to Single Inside Port

PIX 501 Multiple Outside Ports to Single Inside Port
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
PIX 501 Multiple Outside Ports to Single Inside Port Paul Smedshammer 05-01-2008
Posted by Paul Smedshammer on May 1, 2008, 8:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
PIX 501 Multiple Outside Ports to Single Inside Port.

I'm trying to fix our remote e-mail folks. I have no problem forwarding a
single port from the outside to the inside. So say Outside port 25 is
forwarded to our internal e-mail server on port 25.

What I'm trying to do is forward two outside port 25 and port 587 to our
inside server listening on port 25. Is this possible with a PIX 501?

We are currently using:

static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
255.255.255.255 0 0

if I add another line in say:

static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
255.255.255.255 0 0

I get an error about overlapping. This has to be possible, I'm just going
about it wrong. I have scoured the web and I can see how it can be done in
a Linux environment with IP Tables, but I have not found a reference to do
this in a CISCO PIX.

Spring Sale Save 20% Banner - Sale Ended 5/3/07 So Updated to NonPromo Ad
Posted by flamer die.spam@hotmail.com on May 1, 2008, 9:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
try this:

object-group service MyMail tcp
port-object eq smtp
port-object eq 587
exit

static (inside,outside) tcp interface MyMail 10.0.0.2 smtp netmask
255.255.255.255 0 0


havent got anything here to test it with but should put you on the
right track at least. Now if the port forward command doesnt like the
service name in there you just need to use an access-list in your nat
statement instead. Lots of examples on cisco.com

Flamer.



Posted by Brian V on May 1, 2008, 10:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> PIX 501 Multiple Outside Ports to Single Inside Port.
>
> I'm trying to fix our remote e-mail folks. I have no problem forwarding a
> single port from the outside to the inside. So say Outside port 25 is
> forwarded to our internal e-mail server on port 25.
>
> What I'm trying to do is forward two outside port 25 and port 587 to our
> inside server listening on port 25. Is this possible with a PIX 501?
>
> We are currently using:
>
> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
> 255.255.255.255 0 0
>
> if I add another line in say:
>
> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
> 255.255.255.255 0 0
>
> I get an error about overlapping. This has to be possible, I'm just going
> about it wrong. I have scoured the web and I can see how it can be done
> in
> a Linux environment with IP Tables, but I have not found a reference to do
> this in a CISCO PIX.

No, you cannot do that. While logically it would work inbound it would break
going out. How would the smtp packet know which port to pat to on the way
out. This is the same reason why you cannot have multiple publics nat'd to a
single private.


Posted by Paul Smedshammer on May 2, 2008, 12:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>> PIX 501 Multiple Outside Ports to Single Inside Port.
>> What I'm trying to do is forward two outside port 25 and port 587 to
>> our inside server listening on port 25. Is this possible with a PIX
>> 501?
>> We are currently using:
>>
>> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
>> 255.255.255.255 0 0
>>
>> if I add another line in say:
>>
>> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
>> 255.255.255.255 0 0
>>
>> I get an error about overlapping. This has to be possible, I'm just
>> going about it wrong. I have scoured the web and I can see how it
>> can be done in
>> a Linux environment with IP Tables, but I have not found a reference
>> to do this in a CISCO PIX.
>
> No, you cannot do that. While logically it would work inbound it would
> break going out. How would the smtp packet know which port to pat to
> on the way out. This is the same reason why you cannot have multiple
> publics nat'd to a single private.
>

I was worried about that. So, this is really something I can't do. I
need to find another way to have our e-mail server listen on two
different ports and then forward both those ports from the PIX. Thanks,
I have been beating my head at this for a while and was thinking that
maybe it can't be done.

Posted by Morph on May 2, 2008, 4:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Paul Smedshammer wrote:

|
| >> PIX 501 Multiple Outside Ports to Single Inside Port.
| >> What I'm trying to do is forward two outside port 25 and port 587 to
| >> our inside server listening on port 25. Is this possible with a PIX
| >> 501?
| >> We are currently using:
| >>
| >> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
| >> 255.255.255.255 0 0
| >>
| >> if I add another line in say:
| >>
| >> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
| >> 255.255.255.255 0 0
| >>
| >> I get an error about overlapping. This has to be possible, I'm just
| >> going about it wrong. I have scoured the web and I can see how it
| >> can be done in
| >> a Linux environment with IP Tables, but I have not found a reference
| >> to do this in a CISCO PIX.
| >
| > No, you cannot do that. While logically it would work inbound it would
| > break going out. How would the smtp packet know which port to pat to
| > on the way out. This is the same reason why you cannot have multiple
| > publics nat'd to a single private.
| >
|
| I was worried about that. So, this is really something I can't do. I
| need to find another way to have our e-mail server listen on two
| different ports and then forward both those ports from the PIX. Thanks,
| I have been beating my head at this for a while and was thinking that
| maybe it can't be done.

How about putting a second IP address on your server and then set it to
listen on that address using the second port you need. Then you wont
have a problem forwarding the port on the PIX since you will be
forwarding the port to another address.

Similar ThreadsPosted
Multiple Serial Ports with a single IP December 6, 2004, 10:47 am
Multiple public IPs statically NAT'd to a single inside host May 15, 2006, 7:39 pm
Detecting multiple hosts behind a single managed switch port August 22, 2006, 4:08 pm
NAT two outside TCP ports to one inside TCP port November 10, 2004, 7:26 am
How to route multiple ports to one port (NAT/PAT) March 1, 2008, 4:21 am
Multiple VLANs on Single NIC January 19, 2006, 8:08 am
PIX DCHPD handing out multiple IPs to single MAC March 1, 2006, 3:49 pm
Multiple Websites on Single 2k BOX Which router please!? October 30, 2006, 2:44 pm
Multiple interfaces using single external routers November 11, 2004, 2:54 am
Configuring multiple gateway IPs on a single VLAN March 7, 2005, 10:16 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map