Port redirect to internal host 1

[snootalope]

Hi guys..

This might sound crazy.. it might not..

I have an Exchange server on my internal network here, but i've built a SPAM machine to help us get rid of the damn advertisements.. My problem is, I need to redirect port 25 from the firewall to go to my 10.10.1.16 machine and then on over to my ".".".90 Well, currently, if I change the static mapping that is currently pointing to .90 to .16 the mail works, but the interent does not!! I can't find where or how or why it's doing that.. (if there is an easy fix to this, tell me please) So, I'd like to know if I could redirect port 25 to goto .16 without affecting the .90's dns flow or any other service for that matter..

I'm running PIX 515 with software version 6.3.1 *newest*

My current setup:

nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2XX.X.X.X 10.10.1.90 netmask 255.255.255.255 0 0
static (inside,outside) 2XX.X.X.X 10.10.1.10 netmask 255.255.255.255 0 0
static (inside,outside) 2XX.X.X.X 10.10.1.91 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 2XX.X.X.X eq smtp any (EXCHANGE PC)
conduit permit tcp host 2XX.X.X.X eq 1494 any
conduit permit udp host 2XX.X.X.X eq 1604 any
conduit permit tcp host 2XX.X.X.X eq 1352 any
conduit permit tcp host 2XX.X.X.X eq

http://www any

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[Bluecrack]

The static command can now do port redirection. Check out this link:

http://www.cisco.com/warp/public/707/28.html.

FYI - I'm doing the exact same thing. I have a single address on the outside network and allow SMTP, HTTP, and HTTPS to this address. HTTP and HTTPS are for webmail on Exchange. SMTP is however redirected to our anti-spam server and then forwarded from there back to Exchange.


Bluecrack

ps - You might consider moving to access-lists. Conduits are only supported for backwards compatability and will be going away in the future.

 

[snootalope]

Thanks man!

Can I configure access-lists in the PDM? I'm looking around for it, but it seems I can only do conduit..

hey, can you post your statics configs on here? I'd like to see how yours are setup.. I'd really really appreciate it!!!

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[snootalope]

I just don't see how I'm going to do PAT with my current config..

I try and add another mapping in there to share that same interface it tells me "it's in use" and bla bla bla..

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[Bluecrack]

here are my static commands.

static (inside,outside) tcp x.x.x.x

http://www 10.1.1.1

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x https 10.1.1.1 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp 10.1.1.8 smtp netmask 255.255.255.255 0 0

Yes you can use access-lists in the PDM. I assume you are using PDM 3.0 since your on the PIX 6.3.1 image. Mine shows up with Acccess-lists when I click on the "Configuration" button. It's the 1st tab. Perhaps it shows conduit because that's what you have in the configuration. I'm not sure. It's been several years since I switched to access-lists.

Bluecrack

 

[snootalope]

Ok..

I'm in configuration, on the the Access Rules tab with the Access Rules radio button selected..

I got 6 rules, and only one applies to smtp.. which is sending it to 10.10.1.90.. the source of that is 'any', well I try adding another mapping to go over that one and I can't seem to add another one.. I right click and hit 'add' and I leave the ip as 0.0.0.0 and it won't let me use that..

But, if I delete that rule of smtp pointing to .90 and create a new one for .16, that shouldn't affect the flow of dns outbound right?? of course not..

So, all I need to do is delete the rule for smtp and recreate it for .16, how do I make it so it allows ANY external host??? then, I think I got it!

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[Bluecrack]

You will need static rules similar to the following:

static (inside,outside) tcp x.x.x.x

http://www 10.10.1.90

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x https 10.10.1.90 https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp 10.10.1.16 smtp netmask 255.255.255.255 0 0

Your access-list for incoming traffic should be about like this:

access-list inbound permit tcp any host x.x.x.x eq www
access-list inbound permit tcp any host x.x.x.x eq https
access-list inbound permit tcp any host x.x.x.x eq smtp

Outgoing traffic is permitted by default. So unless you've changed that no modifications will be needed to the outgoing traffic access-lists.

Remember to run "clear xlate" after changing the "static" commands.

Bluecrack

 

[snootalope]

damn.. it's not working..

I try and EDIT the rule..

from:
permit smtp outside to 10.10.1.90
to:
" " " " " 10.10.1.16

and it says.. 10.10.1.16 does not have a static path.. hit ADD to make it one.. well I can't even do that!

What am I doing wrong?

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[Bluecrack]

I would recommended doing this from the command-line. Telnet or SSH to the PIX and try it from the command-line. This will avoid any problems caused by the PDM. If you look at my last post and add it exactly like that where x.x.x.x is the global address on the outside network, it should work with no problems. That's exactly the way it's setup on my PIX.

If you do port address translation, you will have to recreate the statics for 10.10.1.90 and 10.10.1.16. Notice the difference between the two different static statements:

static (inside,outside) tcp 2XX.X.X.X smtp 10.10.1.16 smtp netmask 255.255.255.255 0 0
and
static (inside,outside) 2XX.X.X.X 10.10.1.90 netmask 255.255.255.255 0 0

Bluecrack

 

[snootalope]

Ah! Maybe this will help you.. That global IP address is the one in itself.. meaning thier sharing the same one.. so that should still work???

i already asked you that didn't I..

Ok.. I'll try it..

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[snootalope]

Ok.. this is exactly what it says..

This new static rule cannot be configured, as it overlaps with an existing rule: static address traslation for inside 10.10.1.90 using address 2XX.XX.XXX.XXX on interface outside


aarrggg..

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[Bluecrack]

You must remove the exist static rule first.

no static (inside,outside) 2xx.xx.xx.xx 10.10.1.90
clear xlate
static (inside,outside) tcp 2xx.xx.xx.xx http 10.10.1.90 http netmask 255.255.255.255
static (inside,outside) tcp 2xx.xx.xx.xx smtp 10.10.1.16 smtp netmask 255.255.255.255

If this doesn't work, then I'm stumped. As long as the existing static is removed, you should be able to Port Address Translation by specifying the above two static commands.

Bluecrack

 

[snootalope]

I was afraid you'd say that..

That means I'm gonna be taking down the internet here for a while huh..

hhmm..

I'll give it a try later this evening.. If you think of anything else.. let me know.. I'm gonna go take a break while I still can..

"tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me

 

[Bluecrack]

At this point, yes you'd lose the internet connection.

I think when I did it, I removed the existing statics (but didn't clear the translation table), added the new statics, and then cleared the translation table. The default translation timeout is 3 hours (I think) so it kept the old static running until I ran clear xlate and it loaded the new one. But if that didn't work for you, then I would plan on doing this after hours.

Bluecrack

 

[snootalope]

one more qustion..

If my internet.. like internal internet goes down when I make that switch.. wouldn't that mean DNS is the problem so it would be port 53 and not http as in

static (inside,outside) tcp 2xx.xx.xx.xx http <- *SHOULDNT&quot;T IT BE 53 HERE* 10.10.1.90 http *AND HERE* netmask 255.255.255.255

or is http correct?

&quot;tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt&quot; Mark Twain

&quot;I should of been a doctor..&quot; Me

 

[yizhar]

HI.

An alternate solution is to map the new SPAM filter box to an unused registered IP address, change MX record in public DNS (ask your ISP for this), and keep the original static statments you had before without the use of port forwarding.

Both &quot;port forwarding&quot; discussed above and the additional IP solutions are fine. You can choose whatever best suites for you.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[snootalope]

Hey..

i was reading on Cisco's site, and it said that **FIRST you must add static translations.. so it wouldn't work if I removed that static address!!! RIGHT???

&quot;Before you can set up an access list for a host, set up address translation by using a global or static command. &quot;

That's what it says.. so how is going to work if I removed my static commands??

&quot;tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt&quot; Mark Twain

&quot;I should of been a doctor..&quot; Me

 

[snootalope]

Also, this is what you had earlier

no static (inside,outside) 2xx.xx.xx.xx 10.10.1.90
clear xlate
static (inside,outside) tcp 2xx.xx.xx.xx http 10.10.1.90 http netmask 255.255.255.255
static (inside,outside) tcp 2xx.xx.xx.xx smtp 10.10.1.16 smtp netmask 255.255.255.255


that 2xx.xx.xx.xx is the same exact address in both lines.. that mapping to address to the same static address.. that won't work will it?

&quot;tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt&quot; Mark Twain

&quot;I should of been a doctor..&quot; Me

 

[Bluecrack]

Yes those two lines will work. The reason is that you are removing the static NAT translations and adding a PAT translation. Instead of mapping each local (internal) ip/host to a seperate global ip, you will be mapping multiple local ip addresses to a single external global address. The PIX 6.x code allows this.

Notice the inclusion of the keyword &quot;tcp&quot; after the interfaces are specified and the inclusion of ports (https or smtp) after each IP address.

Bluecrack

 

[snootalope]

IT @#%&*#@# WORKED!!! WHOO-HOO!!!

Bluecrack.. where do you live cause I owe ya a beer buddy!!! thank you so much!!

&quot;tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt&quot; Mark Twain

&quot;I should of been a doctor..&quot; Me