asked on
PIX NAT based on port issues
Okay, so here is the goal:
mail.domain.com is set as a public IP, let's say 1.1.1.1
Inside the network, I am using a Sonicwall appliance in front of an SME mail server.
What I want is for outside requests for 1.1.1.1 on port 25 to use NAT to send the traffic to the Sonicwall for spam/av filtering. When requests for 1.1.1.1 come in on port 80 or 443, I want NAT to send those to the SME server for webmail.
What I have done so far is gone into the ASDM and set up a Static Policy in NAT to map 1.1.1.1 to the Sonicwall. This works fine as long as I leave protocol on IP. When I try to change the protocol to TCP port 25, the NAT stops working.
I tried to leave the above rule using IP and then create a second one to NAT port 443 traffic on 1.1.1.1 to the SME server and then simply place that rule higher in importance than the other Static Policy, but, again, whenever I change protocol from IP to TCP 443, the NAT stops working completely.
Any ideas? As you can guess, I am not very well versed in PIX or using NAT in it.
mail.domain.com is set as a public IP, let's say 1.1.1.1
Inside the network, I am using a Sonicwall appliance in front of an SME mail server.
What I want is for outside requests for 1.1.1.1 on port 25 to use NAT to send the traffic to the Sonicwall for spam/av filtering. When requests for 1.1.1.1 come in on port 80 or 443, I want NAT to send those to the SME server for webmail.
What I have done so far is gone into the ASDM and set up a Static Policy in NAT to map 1.1.1.1 to the Sonicwall. This works fine as long as I leave protocol on IP. When I try to change the protocol to TCP port 25, the NAT stops working.
I tried to leave the above rule using IP and then create a second one to NAT port 443 traffic on 1.1.1.1 to the SME server and then simply place that rule higher in importance than the other Static Policy, but, again, whenever I change protocol from IP to TCP 443, the NAT stops working completely.
Any ideas? As you can guess, I am not very well versed in PIX or using NAT in it.
Cisco
Last Comment
shuyun111
ASKER
When I add those configuration options to the static policy rule and try to apply it errors and deletes the rule.
Changed IPs, of course. 1.1.1.1 is public IP and 2.2.2.2 is internal
[ERROR] static (inside,outside) tcp 1.1.1.1 443 access-list inside_nat_static_3 tcp 0 0 udp 0
mapped-address conflict with existing static
inside:2.2.2.2 to outside:1.1.1.1 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interfa
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interfa
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
Changed IPs, of course. 1.1.1.1 is public IP and 2.2.2.2 is internal
[ERROR] static (inside,outside) tcp 1.1.1.1 443 access-list inside_nat_static_3 tcp 0 0 udp 0
mapped-address conflict with existing static
inside:2.2.2.2 to outside:1.1.1.1 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interfa
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interfa
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Ahh, that was stupid of me. Got it working, thanks. The ASDM interface is kind of counter intuitive on this one. Thanks for your help.
Thanks, glad to see that you got it going.
Enable Port Address Translation
TCP
Original Port: 25
Translated Port: 25
You will have to have a rule for each service you want to use (25, 80, 443) even if two of the ports go to.