Solved

One Public IP to different servers for different protocols  Static mapping help

Posted on 2006-07-11
6
563 Views
Last Modified: 2012-06-27
I have a similar situation to this one:

http://www.experts-exchange.com/Security/Firewalls/Q_21310837.html?query=%22static+%28inside%2Coutside%29+tcp+interface+smtp%22&clearTAFilter=true

I have one public ip that I want to use for smtp and http.  The smtp will be directed to a spam filter 172.16.0.23.  The http will go to an OWA server at 172.16.0.21.

I have a PIX 515E - 6.3(3)

I have setup acls and statics as follows, but have had no luck getting this to work.  It looks like all the traffic goes to 172.16.0.23 ( the filter).  I can't seem to get the www and https to direct to the web server.  

I also have other web servers that have their own statics, and this works fine for www/https at 172.16.0.17 and 172.16.0.2.

The public IP I am working with now is xx.xx.xx.54.

access-list 142 permit tcp any host xx.xx.xx.51 eq www
access-list 142 permit tcp any host xx.xx.xx.51 eq https
access-list 142 permit tcp any host xx.xx.xx.52 eq www
access-list 142 permit tcp any host xx.xx.xx.52 eq https
access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.51 172.16.0.2 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.52 172.16.0.17 netmask 255.255.255.255 0 0
access-group 142 in interface outside

Any help on the commands I need to get this running would be appreciated!
0
Comment
Question by:jdavidsbs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 1

Accepted Solution

by:
JEEGO earned 350 total points
ID: 17085108
I have done the same thing using similar ACL and STATIC statements
Remove the following statements, since you have a specific Public IP that you are using

access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0


Enter the following statements:

access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp
access-list 142 permit tcp any host xx.xx.xx.54 eq www
access-list 142 permit tcp any host xx.xx.xx.54 eq https

static (inside,outside) tcp xx.xx.xx.54 smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54 www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54  https 172.16.0.21 https netmask 255.255.255.255 0 0

clear xlate

If it works, then
wr mem

Thanks

JEEGO(AL) - in the spirit of the World Cup

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 17085312
>6.3(3)
This is a buggy version. Suggest updating to 6.3(5)
Your configuration should work using 'interface' keyword
Did you run "clear xlate" ?
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
ID: 17085325
access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp   <<< Don't need the word Outside here

Don't forget to reapply the access-group statement
access-group 142 in interface outside

0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17085341
May need to add the following also if you are you additional IP addresses on the outside.

no sysopt noproxyarp outside
0
 

Author Comment

by:jdavidsbs
ID: 17085345
That looks like it worked, JEEGO.  I will double check tomorrow and award points then.

I had originally tried this setup, but it wasn't working that way... I think all I forgot was the clear xlate... ;(

ah well.....

0
 

Author Comment

by:jdavidsbs
ID: 17090959
lrmoore,
Thanks for the heads up on the version update.  I am planning to update this weekend.  This would explain a couple other wierd issues that I've had on this pix.  
The setup with the interface commands didn't work completely,  it wouldn't direct the web traffic to the right server.   I may try this if I have time after the update.

Thanks for the tips, Keith
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question