Solved

One Public IP to different servers for different protocols  Static mapping help

Posted on 2006-07-11
6
546 Views
Last Modified: 2012-06-27
I have a similar situation to this one:

http://www.experts-exchange.com/Security/Firewalls/Q_21310837.html?query=%22static+%28inside%2Coutside%29+tcp+interface+smtp%22&clearTAFilter=true

I have one public ip that I want to use for smtp and http.  The smtp will be directed to a spam filter 172.16.0.23.  The http will go to an OWA server at 172.16.0.21.

I have a PIX 515E - 6.3(3)

I have setup acls and statics as follows, but have had no luck getting this to work.  It looks like all the traffic goes to 172.16.0.23 ( the filter).  I can't seem to get the www and https to direct to the web server.  

I also have other web servers that have their own statics, and this works fine for www/https at 172.16.0.17 and 172.16.0.2.

The public IP I am working with now is xx.xx.xx.54.

access-list 142 permit tcp any host xx.xx.xx.51 eq www
access-list 142 permit tcp any host xx.xx.xx.51 eq https
access-list 142 permit tcp any host xx.xx.xx.52 eq www
access-list 142 permit tcp any host xx.xx.xx.52 eq https
access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.51 172.16.0.2 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.52 172.16.0.17 netmask 255.255.255.255 0 0
access-group 142 in interface outside

Any help on the commands I need to get this running would be appreciated!
0
Comment
Question by:jdavidsbs
6 Comments
 
LVL 1

Accepted Solution

by:
JEEGO earned 350 total points
ID: 17085108
I have done the same thing using similar ACL and STATIC statements
Remove the following statements, since you have a specific Public IP that you are using

access-list 142 permit tcp any interface outside eq smtp
access-list 142 permit tcp any interface outside eq www
access-list 142 permit tcp any interface outside eq https

static (inside,outside) tcp interface smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.0.21 https netmask 255.255.255.255 0 0


Enter the following statements:

access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp
access-list 142 permit tcp any host xx.xx.xx.54 eq www
access-list 142 permit tcp any host xx.xx.xx.54 eq https

static (inside,outside) tcp xx.xx.xx.54 smtp 172.16.0.23 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54 www 172.16.0.21 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xx.54  https 172.16.0.21 https netmask 255.255.255.255 0 0

clear xlate

If it works, then
wr mem

Thanks

JEEGO(AL) - in the spirit of the World Cup

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 17085312
>6.3(3)
This is a buggy version. Suggest updating to 6.3(5)
Your configuration should work using 'interface' keyword
Did you run "clear xlate" ?
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
ID: 17085325
access-list 142 permit tcp any host xx.xx.xx.54 outside eq smtp   <<< Don't need the word Outside here

Don't forget to reapply the access-group statement
access-group 142 in interface outside

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17085341
May need to add the following also if you are you additional IP addresses on the outside.

no sysopt noproxyarp outside
0
 

Author Comment

by:jdavidsbs
ID: 17085345
That looks like it worked, JEEGO.  I will double check tomorrow and award points then.

I had originally tried this setup, but it wasn't working that way... I think all I forgot was the clear xlate... ;(

ah well.....

0
 

Author Comment

by:jdavidsbs
ID: 17090959
lrmoore,
Thanks for the heads up on the version update.  I am planning to update this weekend.  This would explain a couple other wierd issues that I've had on this pix.  
The setup with the interface commands didn't work completely,  it wouldn't direct the web traffic to the right server.   I may try this if I have time after the update.

Thanks for the tips, Keith
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now