PIX 501 Multiple Outside Ports to Single Inside Port

Discussion in 'Cisco' started by Paul Smedshammer, May 2, 2008.

  1. PIX 501 Multiple Outside Ports to Single Inside Port.

    I'm trying to fix our remote e-mail folks. I have no problem forwarding a
    single port from the outside to the inside. So say Outside port 25 is
    forwarded to our internal e-mail server on port 25.

    What I'm trying to do is forward two outside port 25 and port 587 to our
    inside server listening on port 25. Is this possible with a PIX 501?

    We are currently using:

    static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    255.255.255.255 0 0

    if I add another line in say:

    static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
    255.255.255.255 0 0

    I get an error about overlapping. This has to be possible, I'm just going
    about it wrong. I have scoured the web and I can see how it can be done in
    a Linux environment with IP Tables, but I have not found a reference to do
    this in a CISCO PIX.
     
    Paul Smedshammer, May 2, 2008
    #1
    1. Advertisements

  2. Paul Smedshammer

    Guest Guest

    try this:

    object-group service MyMail tcp
    port-object eq smtp
    port-object eq 587
    exit

    static (inside,outside) tcp interface MyMail 10.0.0.2 smtp netmask
    255.255.255.255 0 0


    havent got anything here to test it with but should put you on the
    right track at least. Now if the port forward command doesnt like the
    service name in there you just need to use an access-list in your nat
    statement instead. Lots of examples on cisco.com

    Flamer.
     
    Guest, May 2, 2008
    #2
    1. Advertisements

  3. I was worried about that. So, this is really something I can't do. I
    need to find another way to have our e-mail server listen on two
    different ports and then forward both those ports from the PIX. Thanks,
    I have been beating my head at this for a while and was thinking that
    maybe it can't be done.
     
    Paul Smedshammer, May 2, 2008
    #3
  4. Paul Smedshammer

    Morph Guest

    In the message <[email protected]>
    Paul Smedshammer wrote:

    |
    |
    | > | >> PIX 501 Multiple Outside Ports to Single Inside Port.
    | >> What I'm trying to do is forward two outside port 25 and port 587 to
    | >> our inside server listening on port 25. Is this possible with a PIX
    | >> 501?
    | >> We are currently using:
    | >>
    | >> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    | >> 255.255.255.255 0 0
    | >>
    | >> if I add another line in say:
    | >>
    | >> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
    | >> 255.255.255.255 0 0
    | >>
    | >> I get an error about overlapping. This has to be possible, I'm just
    | >> going about it wrong. I have scoured the web and I can see how it
    | >> can be done in
    | >> a Linux environment with IP Tables, but I have not found a reference
    | >> to do this in a CISCO PIX.
    | >
    | > No, you cannot do that. While logically it would work inbound it would
    | > break going out. How would the smtp packet know which port to pat to
    | > on the way out. This is the same reason why you cannot have multiple
    | > publics nat'd to a single private.
    | >
    |
    | I was worried about that. So, this is really something I can't do. I
    | need to find another way to have our e-mail server listen on two
    | different ports and then forward both those ports from the PIX. Thanks,
    | I have been beating my head at this for a while and was thinking that
    | maybe it can't be done.

    How about putting a second IP address on your server and then set it to
    listen on that address using the second port you need. Then you wont
    have a problem forwarding the port on the PIX since you will be
    forwarding the port to another address.
     
    Morph, May 2, 2008
    #4
  5. Paul Smedshammer

    Rod Dorman Guest

    Any MTA that can't handle both port 25 and the submissions port 587 I
    would consider broken.
     
    Rod Dorman, May 2, 2008
    #5
  6. We have a bunch of clients who are remote from their corporate E-mail
    server. When we configure their email to send out on smtp default port
    25 it gets blocked by AT&T in their wisdom to stop SPAM. Dynamic IP AT&T
    DSL connections block all traffic to port 25 except to their own servers.
    The idea is if we can add another port to the corporate server to recieve
    SMTP traffic, we can use an alternative port to send e-mail getting
    around AT&T's block.

    We have solved this problem not in the PIX but in our SPAM filtering
    software XWall. In XWall we configured it to listen on both port 25 and
    another in the 2000 range. Then we set up the PIX to forward both 25 and
    the 2000 port to the XWall server. Lastly, set up the remote client's e-
    mails to use the 2000 port to send e-mail out. Works perfectly.

    It makes since why this will work if you set up the SMTP server to listen
    on two different ports instead of using the PIX to try and combine two.

    Thanks everybody for your response.

    Paul Smedshammer
     
    Paul Smedshammer, May 2, 2008
    #6
  7. Don't do that. The SMTP reception port 25 and the submission port 587
    should be configured differently, port 587 only accepting authenticated
    SMTP connections and port 25 only accepting mail for local users.
    Any decent mail server software should be able to be set up like that.

    HTH
    T.
     
    Tilman Schmidt, May 9, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.