PIX 501 - Inbound Port Forwarding/Translation?

Discussion in 'Cisco' started by Paul Hutchings, Jan 10, 2004.

  1. I have a 501 with public IP addresses on both interfaces, because of this
    none of my inside hosts/networks use any form of NAT.

    I'm trying to setup a rule that will take an external connection to one of
    my inside IPs on port 587 and direct it to port 25 on the same inside IP.

    Basically I have an smtp server on the inside that can only listen on port
    25, I don't want to open it up to the entire internet (it's secure but we'd
    get spammed) but would like to offer authenticated smtp to my users.

    I figure if I can get connections coming in on a non-standard port and
    redirect them..

    I'm not familiar with PIX commands so something using PDM would be good.

    PDM Version 3.0(1) PIX Version 6.3(1)

    regards
    Paul
    --
    paul <at> spamcop.net
     
    Paul Hutchings, Jan 10, 2004
    #1
    1. Advertising

  2. Paul,

    How will other servers (say on the internet) know how to use a port other
    than 25 to communicate with email server? Wouldn't it be easier to prevent
    spamming on you MTA rathner that make things more complex?

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "Paul Hutchings" <> wrote in message
    news:Xns946CA37D9118Cpaulhutchingsspamcop@130.133.1.4...
    > I have a 501 with public IP addresses on both interfaces, because of this
    > none of my inside hosts/networks use any form of NAT.
    >
    > I'm trying to setup a rule that will take an external connection to one of
    > my inside IPs on port 587 and direct it to port 25 on the same inside IP.
    >
    > Basically I have an smtp server on the inside that can only listen on port
    > 25, I don't want to open it up to the entire internet (it's secure but

    we'd
    > get spammed) but would like to offer authenticated smtp to my users.
    >
    > I figure if I can get connections coming in on a non-standard port and
    > redirect them..
    >
    > I'm not familiar with PIX commands so something using PDM would be good.
    >
    > PDM Version 3.0(1) PIX Version 6.3(1)
    >
    > regards
    > Paul
    > --
    > paul <at> spamcop.net
     
    scott enwright, Jan 11, 2004
    #2
    1. Advertising

  3. "scott enwright" <> wrote in
    news:JU2Mb.5318$:

    > Paul,
    >
    > How will other servers (say on the internet) know how to use a port
    > other than 25 to communicate with email server? Wouldn't it be easier
    > to prevent spamming on you MTA rathner that make things more complex?


    Because other servers won't be talking to that MTA.

    Basically I have a DMZ with 2 smtp servers in it, one runs postfix with
    spamassassin and is _really_ tightly configured, the other is running on
    Windows and whilst it's relay secure and has some antispam capability it's
    nothing like as configurable as the postfix/sa one, plus the Windows one
    supports smtp authentication using my users domain accounts.

    So the theory was to leave the postfix one open to the world on port 25 and
    to have the Windows one open only on port XXX so that spammers scanning for
    open relays shouldn't find it, but my users would know about it.

    regards
    Paul
    --
    paul <at> spamcop.net
     
    Paul Hutchings, Jan 11, 2004
    #3
  4. In article <Xns946CA37D9118Cpaulhutchingsspamcop@130.133.1.4>,
    Paul Hutchings <> wrote:
    :I have a 501 with public IP addresses on both interfaces, because of this
    :none of my inside hosts/networks use any form of NAT.

    :I'm trying to setup a rule that will take an external connection to one of
    :my inside IPs on port 587 and direct it to port 25 on the same inside IP.

    In theory this should work:

    static (inside, outside) tcp IP 587 IP 25 netmask 255.255.255.255 0 0

    --
    Warning: potentially contains traces of nuts.
     
    Walter Roberson, Jan 11, 2004
    #4
  5. -cnrc.gc.ca (Walter Roberson) wrote in
    news:btrf1m$8rr$:

    > In theory this should work:
    >
    > static (inside, outside) tcp IP 587 IP 25 netmask 255.255.255.255 0 0


    Thanks Walter, but (from PDM CLI widget):
    Result of firewall command: "static (inside, outside) tcp IP 587 IP 25
    netmask 255.255.255.255 0 0"

    ERROR: Invalid global IP address IP

    If I do "sho static" I get all the entries for my objects, along the lines
    of "static (inside,outside) webcache webcache netmask 255.255.255.255 0 0"

    Now I thought this would also work but it doesn't:

    Result of firewall command: "static (inside,outside) tcp webcache 587
    webcache 25 netmask 255.255.255.255 0 0"

    ERROR: static overlaps with webcache to webcache

    regards
    Paul
    --
    paul <at> spamcop.net
     
    Paul Hutchings, Jan 11, 2004
    #5
  6. Try,

    static (inside, outside) tcp <public IP> 587 <private IP> 25 netmask
    255.255.255.255

    Syntax FYI:

    [no] static [(internal_if_name, external_if_name)] {tcp | udp}{global_ip |
    interface} global_port

    local_ip local_port [dns] [netmask mask][max_conns [emb_limit
    [norandomseq]]]



    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "Paul Hutchings" <> wrote in message
    news:Xns946D80535C55Cpaulhutchingsspamcop@130.133.1.4...
    > -cnrc.gc.ca (Walter Roberson) wrote in
    > news:btrf1m$8rr$:
    >
    > > In theory this should work:
    > >
    > > static (inside, outside) tcp IP 587 IP 25 netmask 255.255.255.255 0 0

    >
    > Thanks Walter, but (from PDM CLI widget):
    > Result of firewall command: "static (inside, outside) tcp IP 587 IP 25
    > netmask 255.255.255.255 0 0"
    >
    > ERROR: Invalid global IP address IP
    >
    > If I do "sho static" I get all the entries for my objects, along the lines
    > of "static (inside,outside) webcache webcache netmask 255.255.255.255 0 0"
    >
    > Now I thought this would also work but it doesn't:
    >
    > Result of firewall command: "static (inside,outside) tcp webcache 587
    > webcache 25 netmask 255.255.255.255 0 0"
    >
    > ERROR: static overlaps with webcache to webcache
    >
    > regards
    > Paul
    > --
    > paul <at> spamcop.net
     
    scott enwright, Jan 11, 2004
    #6
  7. Paul Hutchings

    John Guest

    "Paul Hutchings" <> wrote in message
    news:Xns946CA37D9118Cpaulhutchingsspamcop@130.133.1.4...
    > I have a 501 with public IP addresses on both interfaces, because of this
    > none of my inside hosts/networks use any form of NAT.
    >
    > I'm trying to setup a rule that will take an external connection to one of
    > my inside IPs on port 587 and direct it to port 25 on the same inside IP.
    >
    > Basically I have an smtp server on the inside that can only listen on port
    > 25, I don't want to open it up to the entire internet (it's secure but

    we'd
    > get spammed) but would like to offer authenticated smtp to my users.
    >
    > I figure if I can get connections coming in on a non-standard port and
    > redirect them..
    >
    > I'm not familiar with PIX commands so something using PDM would be good.
    >
    > PDM Version 3.0(1) PIX Version 6.3(1)
    >
    > regards
    > Paul
    > --
    > paul <at> spamcop.net


    I have a block of 16 IPs and initially had my 501 configured with public IPs
    on both "sides". Eventually I gave up and used private IPs since I kept
    getting messages like yours. I think that you will find the task much easier
    if you use private IPs and NAT for all routes across the 501.

    John
     
    John, Jan 12, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BitBucket
    Replies:
    4
    Views:
    3,870
    BitBucket
    Nov 3, 2003
  2. Kirk Goins

    Port forwarding on a PIX 501 at 6.3

    Kirk Goins, Dec 19, 2003, in forum: Cisco
    Replies:
    5
    Views:
    12,606
  3. Robert McIntosh

    Port Forwarding and PIX 501

    Robert McIntosh, Sep 2, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,198
    Walter Roberson
    Sep 4, 2004
  4. Graeme Geldenhuys
    Replies:
    2
    Views:
    4,403
    Graeme Geldenhuys
    Apr 14, 2005
  5. Greg
    Replies:
    0
    Views:
    3,773
Loading...

Share This Page