Solved

One Public IP to different servers for different protocols  Static mapping help

Posted on 2006-07-11
6
559 Views
Last Modified: 2012-06-27
I have a similar situation to this one:

http://www.experts-exchange.com/Security/Firewalls/Q_21310837.html?query=%22static+%28inside%2Coutside%29+tcp+interface+smtp%22&clearTAFilter=true

I have one public ip that I want to use for smtp and http.  The smtp will be directed to a spam filter 172.16.0.23.  The http will go to an OWA server at 172.16.0.21.

I have a PIX 515E - 6.3(3)

I have setup acls and statics as follows, but have had no luck getting this to work.  It looks like all the traffic goes to 172.16.0.23 ( the filter).  I can't seem to get the www and https to direct to the web server.  

I also have other web servers that have their own statics, and this works fine for www/https at 172.16.0.17 and 172.16.0.2.

The public IP I am working with now is xx.xx.xx.54.

access-list 142 permit tcp any host xx.xx.xx.51 eq www
access-list 142 permit tcp any host xx.xx.xx.51 eq https
access-list 142 permit tcp any host xx.xx.xx.52 eq www
access-list 142 permit tcp any host xx.xx.xx.52 eq https
access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.51 172.16.0.2 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.52 172.16.0.17 netmask 255.255.255.255 0 0
access-group 142 in interface outside

Any help on the commands I need to get this running would be appreciated!
0
Comment
Question by:jdavidsbs
6 Comments
 
LVL 1

Accepted Solution

by:
JEEGO earned 350 total points
ID: 17085108
I have done the same thing using similar ACL and STATIC statements
Remove the following statements, since you have a specific Public IP that you are using

access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0


Enter the following statements:

access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp
access-list 142 permit tcp any host xx.xx.xx.54 eq www
access-list 142 permit tcp any host xx.xx.xx.54 eq https

static (inside,outside) tcp xx.xx.xx.54 smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54 www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54  https 172.16.0.21 https netmask 255.255.255.255 0 0

clear xlate

If it works, then
wr mem

Thanks

JEEGO(AL) - in the spirit of the World Cup

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 17085312
>6.3(3)
This is a buggy version. Suggest updating to 6.3(5)
Your configuration should work using 'interface' keyword
Did you run "clear xlate" ?
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
ID: 17085325
access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp   <<< Don't need the word Outside here

Don't forget to reapply the access-group statement
access-group 142 in interface outside

0
Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17085341
May need to add the following also if you are you additional IP addresses on the outside.

no sysopt noproxyarp outside
0
 

Author Comment

by:jdavidsbs
ID: 17085345
That looks like it worked, JEEGO.  I will double check tomorrow and award points then.

I had originally tried this setup, but it wasn't working that way... I think all I forgot was the clear xlate... ;(

ah well.....

0
 

Author Comment

by:jdavidsbs
ID: 17090959
lrmoore,
Thanks for the heads up on the version update.  I am planning to update this weekend.  This would explain a couple other wierd issues that I've had on this pix.  
The setup with the interface commands didn't work completely,  it wouldn't direct the web traffic to the right server.   I may try this if I have time after the update.

Thanks for the tips, Keith
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question