Re: Port forward from one pix over VPN to server in different subnets

I am not sure, that it is possible...

--
<------------------
Pozdrawiam:
Krzysztof Sobieraj
KS2804-RIPE


Kazimierz Wielki University

ul. Chodkiewicza 30
85-064 Bydgoszcz, Poland.

ukw.edu.pl

On Fri, 25 May 2007, Brian wrote:


"Krzysztof Sobieraj" <soba@xxxxxxxxxx> wrote in message
news:20070525105126.S34493@xxxxxxxxxxxxxxxxxxxx
Use a static command:

Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]

For example:


static (inside,outside) tcp ....

static:

a:) ( Open parenthesis for (<internal_if_name>,<external_if_name>) pair
where <internal_if_name> is the Internal or prenat interface and
<external_if_name> is the External or postnat interface

b:) Hostname or A.B.C.D Global or mapped address
interface Global address overload from interface
tcp TCP to be used as transport protocol
udp UDP to be used as transport protocol

Hostname or A.B.C.D Real IP address of the host or hosts
access-list Configure access-list name after this keyword


c:) configure mode commands/options:
<0-65535> The maximum number of simultaneous tcp connections the
local IP
hosts are to allow, default is 0 which means unlimited
connections. Idle connections are closed after the time
specified
by the timeout conn command
dns Use the created xlate to rewrite DNS address record
netmask Configure Netmask to apply to IP addresses
norandomseq Disable TCP sequence number randomization
tcp Configure TCP specific parameters
udp Configure UDP specific parameters
<cr>





--
<------------------
Pozdrawiam:
Krzysztof Sobieraj
KS2804-RIPE


Kazimierz Wielki University

ul. Chodkiewicza 30
85-064 Bydgoszcz, Poland.

ukw.edu.pl

On Fri, 25 May 2007, Brian wrote:

"Krzysztof Sobieraj" <soba@xxxxxxxxxx> wrote in message
news:f35vqn$kbm$2@xxxxxxxxxxxxxxxxxxxxxxxx
Użytkownik Brian napisał:
Hi,
we have 2 Cisco PIX one on each of our 2 sites. IPSEC VPN tunnel between
the 2 working perfectly. I want to forward port 25 and port 443 from the
WAN IP of the PIX in site-A to a LAN IP of a server in site-B.

Have tried all the normal static mappings that work fine where its all
on
the same site but cannot get this setup to work. I'm not even sure if
its
possible. Any help or pointers very much appreciated.

thanks,
Brian.
If you have 6.3 or leter, use static command and ACL permit functions,
but this forward propably is not posible...(AS Algorithm) (LANsideA to
-> WAN sideB). You must forward wanIP side A to wan IP side B it wil be
work corectly.

Hi,
how can I forward a WAN side port to another WAN side port though (using
just PIX)? Surely this involves sending back out on same interface it
arrived on?

thanks.




ok, have already tried using static, but from what you say this should work
on site-A PIX:

static (inside,outside) tcp interface smtp mailserver-on-site-B smtp netmask
255.255.255.255 0 0

where the site-A PIX internal LAN IP is 192.168.1.1
and site-B PIX is 192.168.2.1
and mailserver-on-site-B is for example 192.168.2.10

My concern is that this cannot work as the traffic did not orginate on the
LAN side of site-A PIX so its having to come in and go back out on the
site-A PIX external interface.
To be clear, what I want to achieve with the above is that SMTP traffic
arriving on outside of site-A PIX ends up at mailserver-on-site-B.

thanks for your assistance.


Relevant Pages

  • Re: GOD=G_uv Measure your IQ in 30 seconds
    ... >> been because I was laughing so hard at someone misspelling his own ... > will go to any lengths to find something to support their convictions. ... he will never feel like an idiot ... him to admit mistake. ...
    (sci.physics)
  • Re: GOD=G_uv Measure your IQ in 30 seconds
    ... >> been because I was laughing so hard at someone misspelling his own ... > will go to any lengths to find something to support their convictions. ... he will never feel like an idiot ... him to admit mistake. ...
    (sci.physics.relativity)
  • Re: Damn you, FEDEX! or Nikon D40 lost in Springfield, MO blackhole.
    ... the 2 mp Mavica he had been using with a Nikon D40. ... After shopping around, he got me to order one for him. ... The shipper had it insured, but from what I have read it could take weeks to sort this crap out. ... You may get your insurance from FedEx and a couple weeks later they find it and deliver it. ...
    (alt.photography)
  • Re: The Sci-Fi Rejection Letter That Time Forgot
    ... nations have stockpiled arsenals of these incredible bombs and the time the story is set. ...
    (rec.arts.sf.written)
  • RE: copied music cds have a skip in last 18 seconds
    ... If installing all missing Windows Updates doesn't fix your problem ... xiowan.......in tucson ...
    (microsoft.public.windows.mediacenter)