?
Solved

One Public IP to different servers for different protocols  Static mapping help

Posted on 2006-07-11
6
Medium Priority
?
567 Views
Last Modified: 2012-06-27
I have a similar situation to this one:

http://www.experts-exchange.com/Security/Firewalls/Q_21310837.html?query=%22static+%28inside%2Coutside%29+tcp+interface+smtp%22&clearTAFilter=true

I have one public ip that I want to use for smtp and http.  The smtp will be directed to a spam filter 172.16.0.23.  The http will go to an OWA server at 172.16.0.21.

I have a PIX 515E - 6.3(3)

I have setup acls and statics as follows, but have had no luck getting this to work.  It looks like all the traffic goes to 172.16.0.23 ( the filter).  I can't seem to get the www and https to direct to the web server.  

I also have other web servers that have their own statics, and this works fine for www/https at 172.16.0.17 and 172.16.0.2.

The public IP I am working with now is xx.xx.xx.54.

access-list 142 permit tcp any host xx.xx.xx.51 eq www
access-list 142 permit tcp any host xx.xx.xx.51 eq https
access-list 142 permit tcp any host xx.xx.xx.52 eq www
access-list 142 permit tcp any host xx.xx.xx.52 eq https
access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.51 172.16.0.2 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.52 172.16.0.17 netmask 255.255.255.255 0 0
access-group 142 in interface outside

Any help on the commands I need to get this running would be appreciated!
0
Comment
Question by:jdavidsbs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Accepted Solution

by:
JEEGO earned 1400 total points
ID: 17085108
I have done the same thing using similar ACL and STATIC statements
Remove the following statements, since you have a specific Public IP that you are using

access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0


Enter the following statements:

access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp
access-list 142 permit tcp any host xx.xx.xx.54 eq www
access-list 142 permit tcp any host xx.xx.xx.54 eq https

static (inside,outside) tcp xx.xx.xx.54 smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54 www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54  https 172.16.0.21 https netmask 255.255.255.255 0 0

clear xlate

If it works, then
wr mem

Thanks

JEEGO(AL) - in the spirit of the World Cup

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 17085312
>6.3(3)
This is a buggy version. Suggest updating to 6.3(5)
Your configuration should work using 'interface' keyword
Did you run "clear xlate" ?
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 200 total points
ID: 17085325
access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp   <<< Don't need the word Outside here

Don't forget to reapply the access-group statement
access-group 142 in interface outside

0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17085341
May need to add the following also if you are you additional IP addresses on the outside.

no sysopt noproxyarp outside
0
 

Author Comment

by:jdavidsbs
ID: 17085345
That looks like it worked, JEEGO.  I will double check tomorrow and award points then.

I had originally tried this setup, but it wasn't working that way... I think all I forgot was the clear xlate... ;(

ah well.....

0
 

Author Comment

by:jdavidsbs
ID: 17090959
lrmoore,
Thanks for the heads up on the version update.  I am planning to update this weekend.  This would explain a couple other wierd issues that I've had on this pix.  
The setup with the interface commands didn't work completely,  it wouldn't direct the web traffic to the right server.   I may try this if I have time after the update.

Thanks for the tips, Keith
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question