PIX 501 Multiple Outside Ports to Single Inside Port

PIX 501 Multiple Outside Ports to Single Inside Port: Posted by Paul Smedshammer on May 2nd, 2008; PIX 501 Multiple Outside Ports to Single Inside Port.

I'm trying to fix our remote e-mail folks. I have no problem forwarding a
single port from the outside to the inside. So say Outside port 25 is
forwarded to our internal e-mail server on port 25.

What I'm trying to do is forward two outside port 25 and port 587 to our
inside server listening on port 25. Is this possible with a PIX 501?

We are currently using:

static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
255.255.255.255 0 0

if I add another line in say:

static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
255.255.255.255 0 0

I get an error about overlapping. This has to be possible, I'm just going
about it wrong. I have scoured the web and I can see how it can be done in
a Linux environment with IP Tables, but I have not found a reference to do
this in a CISCO PIX.; Posted by flamer die.spam@hotmail.com on May 2nd, 2008; try this:

object-group service MyMail tcp
port-object eq smtp
port-object eq 587
exit

static (inside,outside) tcp interface MyMail 10.0.0.2 smtp netmask
255.255.255.255 0 0

havent got anything here to test it with but should put you on the
right track at least. Now if the port forward command doesnt like the
service name in there you just need to use an access-list in your nat
statement instead. Lots of examples on cisco.com

Flamer.; Posted by Brian V on May 2nd, 2008; "Paul Smedshammer" <nospam@coreutilities.com> wrote in message
news:Xns9A91AF98541B5nospamcoreutilitiesc@207.115. 33.102...
No, you cannot do that. While logically it would work inbound it would break
going out. How would the smtp packet know which port to pat to on the way
out. This is the same reason why you cannot have multiple publics nat'd to a
single private.; Posted by Paul Smedshammer on May 2nd, 2008; "Brian V" <die_spammer@nospam.com> wrote in
news:xOidndfX84AK6ofVnZ2dnUVZ_qiinZ2d@comcast.com:

I was worried about that. So, this is really something I can't do. I
need to find another way to have our e-mail server listen on two
different ports and then forward both those ports from the PIX. Thanks,
I have been beating my head at this for a while and was thinking that
maybe it can't be done.; Posted by Morph on May 2nd, 2008; In the message <Xns9A91D68E68C3Enospamcoreutilitiesc@207.115.33.1 02>
Paul Smedshammer wrote:

| "Brian V" <die_spammer@nospam.com> wrote in
| news:xOidndfX84AK6ofVnZ2dnUVZ_qiinZ2d@comcast.com:
|
| > "Paul Smedshammer" <nospam@coreutilities.com> wrote in message
| > news:Xns9A91AF98541B5nospamcoreutilitiesc@207.115. 33.102...
| >> PIX 501 Multiple Outside Ports to Single Inside Port.
| >> What I'm trying to do is forward two outside port 25 and port 587 to
| >> our inside server listening on port 25. Is this possible with a PIX
| >> 501?
| >> We are currently using:
| >>
| >> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
| >> 255.255.255.255 0 0
| >>
| >> if I add another line in say:
| >>
| >> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask
| >> 255.255.255.255 0 0
| >>
| >> I get an error about overlapping. This has to be possible, I'm just
| >> going about it wrong. I have scoured the web and I can see how it
| >> can be done in
| >> a Linux environment with IP Tables, but I have not found a reference
| >> to do this in a CISCO PIX.
| >
| > No, you cannot do that. While logically it would work inbound it would
| > break going out. How would the smtp packet know which port to pat to
| > on the way out. This is the same reason why you cannot have multiple
| > publics nat'd to a single private.
| >
|
| I was worried about that. So, this is really something I can't do. I
| need to find another way to have our e-mail server listen on two
| different ports and then forward both those ports from the PIX. Thanks,
| I have been beating my head at this for a while and was thinking that
| maybe it can't be done.

How about putting a second IP address on your server and then set it to
listen on that address using the second port you need. Then you wont
have a problem forwarding the port on the PIX since you will be
forwarding the port to another address.; Posted by Brian V on May 2nd, 2008; "Paul Smedshammer" <no_spam@coreutilities.com> wrote in message
news:Xns9A91D68E68C3Enospamcoreutilitiesc@207.115. 33.102...
What exactly are you trying to accomplish by having SMTP on two different
ports? If you can give us an idea on what you are trying to accomplish we
might be able to offer you an alternative.; Posted by Rod Dorman on May 2nd, 2008; In article <Xns9A91D68E68C3Enospamcoreutilitiesc@207.115.33.1 02>,
Paul Smedshammer <no_spam@coreutilities.com> wrote:
Any MTA that can't handle both port 25 and the submissions port 587 I
would consider broken.

--
-- Rod --
rodd(at)polylogics(dot)com; Posted by Paul Smedshammer on May 2nd, 2008; "Brian V" <die_spammer@nospam.com> wrote in
news:QIGdnU-ZU7rHgIbVnZ2dnUVZ_o3inZ2d@comcast.com:

We have a bunch of clients who are remote from their corporate E-mail
server. When we configure their email to send out on smtp default port
25 it gets blocked by AT&T in their wisdom to stop SPAM. Dynamic IP AT&T
DSL connections block all traffic to port 25 except to their own servers.
The idea is if we can add another port to the corporate server to recieve
SMTP traffic, we can use an alternative port to send e-mail getting
around AT&T's block.

We have solved this problem not in the PIX but in our SPAM filtering
software XWall. In XWall we configured it to listen on both port 25 and
another in the 2000 range. Then we set up the PIX to forward both 25 and
the 2000 port to the XWall server. Lastly, set up the remote client's e-
mails to use the 2000 port to send e-mail out. Works perfectly.

It makes since why this will work if you set up the SMTP server to listen
on two different ports instead of using the PIX to try and combine two.

Thanks everybody for your response.

Paul Smedshammer; Posted by Brian V on May 2nd, 2008; "Paul Smedshammer" <nospam@coreutilities.com> wrote in message
news:Xns9A9276CA68AE6nospamcoreutilitiesc@207.115. 33.102...
Why not have them simply connect to the corp LAN via VPN or even RPC via
Outlook to the Exchange server? You also have the ability to use smart
hosts, SMTP.com is a great example of one.; Posted by Tilman Schmidt on May 9th, 2008; Paul Smedshammer schrieb:
Don't do that. The SMTP reception port 25 and the submission port 587
should be configured differently, port 587 only accepting authenticated
SMTP connections and port 25 only accepting mail for local users.
Any decent mail server software should be able to be set up like that.

HTH
T.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Similar Posts

Multiple instance VNC with single port (Computers & Technology) by Bpodgursky@gmail.com
Multiple instances of VNC single port (Microsoft Windows) by Bpodgursky@gmail.com
Multiple public IPs statically NAT'd to a single inside host (Routers) by Lone
Multiple Serial Ports with a single IP (Routers) by wjohnson@uwgrocers.com
NAT two outside TCP ports to one inside TCP port (Routers) by Kevin