• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 572
  • Last Modified:

One Public IP to different servers for different protocols Static mapping help

I have a similar situation to this one:

http://www.experts-exchange.com/Security/Firewalls/Q_21310837.html?query=%22static+%28inside%2Coutside%29+tcp+interface+smtp%22&clearTAFilter=true

I have one public ip that I want to use for smtp and http.  The smtp will be directed to a spam filter 172.16.0.23.  The http will go to an OWA server at 172.16.0.21.

I have a PIX 515E - 6.3(3)

I have setup acls and statics as follows, but have had no luck getting this to work.  It looks like all the traffic goes to 172.16.0.23 ( the filter).  I can't seem to get the www and https to direct to the web server.  

I also have other web servers that have their own statics, and this works fine for www/https at 172.16.0.17 and 172.16.0.2.

The public IP I am working with now is xx.xx.xx.54.

access-list 142 permit tcp any host xx.xx.xx.51 eq www
access-list 142 permit tcp any host xx.xx.xx.51 eq https
access-list 142 permit tcp any host xx.xx.xx.52 eq www
access-list 142 permit tcp any host xx.xx.xx.52 eq https
access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.51 172.16.0.2 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.52 172.16.0.17 netmask 255.255.255.255 0 0
access-group 142 in interface outside

Any help on the commands I need to get this running would be appreciated!
0
jdavidsbs
Asked:
jdavidsbs
3 Solutions
 
JEEGOCommented:
I have done the same thing using similar ACL and STATIC statements
Remove the following statements, since you have a specific Public IP that you are using

access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0


Enter the following statements:

access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp
access-list 142 permit tcp any host xx.xx.xx.54 eq www
access-list 142 permit tcp any host xx.xx.xx.54 eq https

static (inside,outside) tcp xx.xx.xx.54 smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54 www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54  https 172.16.0.21 https netmask 255.255.255.255 0 0

clear xlate

If it works, then
wr mem

Thanks

JEEGO(AL) - in the spirit of the World Cup

0
 
lrmooreCommented:
>6.3(3)
This is a buggy version. Suggest updating to 6.3(5)
Your configuration should work using 'interface' keyword
Did you run "clear xlate" ?
0
 
Keith AlabasterCommented:
access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp   <<< Don't need the word Outside here

Don't forget to reapply the access-group statement
access-group 142 in interface outside

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Keith AlabasterCommented:
May need to add the following also if you are you additional IP addresses on the outside.

no sysopt noproxyarp outside
0
 
jdavidsbsAuthor Commented:
That looks like it worked, JEEGO.  I will double check tomorrow and award points then.

I had originally tried this setup, but it wasn't working that way... I think all I forgot was the clear xlate... ;(

ah well.....

0
 
jdavidsbsAuthor Commented:
lrmoore,
Thanks for the heads up on the version update.  I am planning to update this weekend.  This would explain a couple other wierd issues that I've had on this pix.  
The setup with the interface commands didn't work completely,  it wouldn't direct the web traffic to the right server.   I may try this if I have time after the update.

Thanks for the tips, Keith
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now