Map SMTP port on multiple Public IPs to single private IP.

Hello,
we have a need to map smtp on multiple external public IPs to a single Internal IP. We need https,www, and pop3 for the external IP to go to one internal, and smtp to go to a different internal.
What we'd like to do:
static (inside,outside) tcp <ip1>.39 80 10.1.1.63 http
static (inside,outside) tcp <ip1>.39 pop3 10.1.1.63 pop3
static (inside,outside) tcp <ip1>.39 https 10.1.1.63 https
static (inside,outside) tcp <ip1>.39 smtp 10.1.1.41 smtp
static (inside,outside) tcp <ip2>.40 80 10.1.1.64 http
static (inside,outside) tcp <ip2>.40 pop3 10.1.1.64 pop3
static (inside,outside) tcp <ip2>.40 https 10.1.1.64 https
static (inside,outside) tcp <ip2>.40 smtp 10.1.1.41 smtp
But the PIX cries about overlapping NAT statements.
We need this because we're an IT outsourcing company and we typically manage our customer's DNS zones. Of course, in every bunch there's an exception and one customer has their DNS hosted elsewhere. We changed the necessary DNS on our side for our customers when we made a mail change (which is close to 100 customers), but when we did this it broke this one-of customer. The DNS hoster for the customer is a little one-man shop and the guy is out of the office for two weeks. What a mess. For some reason their DNS is not using our MX record, so it broke when we made our upgrade.
Is there any way we can accomplish anythign similar to what we're trying to do? This is a PIX 515E with 7.0(6) Thanks.

Ok, we found a work-around that wil be fine for now. We added a 2nd IP to the 10.1.1.41 server and just the .39 server to that. So we're only using 1 server for the time being, but that's ok.

Similar Messages

Use multiple public IPs addresses

Hello there!
In my environment, I have four public IPs, and I have a TMG Firewall working.
When I publish servers by TMG using one of my IP adresses, it works.
But, when I use anyone else, it isn't work.
I'm new in TMG Server, so I want to know if there is some setting to do to use other public IP adresses to publish servers by TMG.
Thanks in advance.
Lucas Gustavo

Hi,
You don't need any additional configuration apart from creating a Server Publishing Rule or (Secure) Web Publishing Rule. Can you be a bit more specific? Some questions:
- Does your TMG have one or two network interfaces?
- Have you configured all four IP Addresses manually on the interface with the same subnet mask?
- What are you trying to publish
- When you create a Server-/Web Publishing Rule, do you select a specific IP Address or All IP Addresses?
Boudewijn
Boudewijn Plomp, BPMi Infrastructure & Security | Please remember, if you see a post that helped you please click "Vote as Helpful" and if it answered your question, please click "Mark as Answer".

How can I use Apple Caching Service on a Network with Multiple Public IPs?

Hello!
I help manage a network of ~4000 clients for a small liberal arts college in Michigan. I'm looking into the possibility of implimenting Apple Caching Server for our network.
We have one 400mbit pipe out to the internet, and all of our clients are given public-facing IPs to the internet. A caching server would be great, especially on update days. All wireless clients are on the same subnet, which is where I'd like the server to be serving the cached copies.
I have installed Mavericks on a fresh machine, downloaded OS X Server 3.0.3, and attempted to start the caching service. This is what I get.
Unable to start service.
Caching cannot be run on a public network. Consult documentation.
How can I get this up and running?

The way the Caching server works is that the server will be accessing the Internet and when doing so traffic will be coming from it via a particular public IP address. Usually this will not be the address of the server itelf but your router as for most networks NAT is used. In this by far more common scenario the client Macs (and likely iOS devices) will be going through the same router and hence show up via the same public IP address.
If the client request is the same as the address registered via the Caching server then Apple redirect the request via the Caching server.
The setup would look something like this -
           Internet
                |
            Router (with NAT)
                |
(LAN)     +------Caching Server-----Client devices
With this setup because everything is using the same public IP address Apple can reasonably assume everything is on the same network and trigger a redirection to your Caching server.
If you try a setup like the following with the Caching server having its own public IP it will not work because the Caching server and client devices will have different public IP addresses
           Internet
               |
           Router (no NAT)-------------------+
               |                                      |
            Firewall (with NAT)       Caching Server
               |                                      |
               |                                      |
(LAN)     +-----Client devices-----------+-----------
Your configuration as described is more like the following
           Internet
               |
           Router (no NAT)
               |
(LAN)     +------Caching Server-----Client devices
With yours not having NAT each device has its own public IP address including the Caching server and Apple cannot redirect traffic as it thinks they are on different networks.

Proxy Multiplie Public IPs

Here is a little project I have been asked to investigate...
We currently have a BMGR server running proxy services that connects to our ISP that has a Be6 filtering appliance. Currently all computers in the district using proxy are filtered by one library/rule (one external IP). We do have a couple of other computers that have NAT (other than the Proxy external IP) without proxy configured so they can get different filtering rules.
We would like to give individual filters to each of our schools, and let them manage what sites are available. Is it possible to have a single proxy server/address route an entire subnet (each school has it's own) to a specific public address? Or is it time to say adios to BMGR?
Thanks for your help
Clark

In article <[email protected]>, Cfountain wrote:
> We would like to give individual filters to each of our schools, and
> let them manage what sites are available. Is it possible to have a
> single proxy server/address route an entire subnet (each school has it's
> own) to a specific public address? Or is it time to say adios to BMGR?
>
No, this is a routing issue. When BM needs to send packets out, it sends
them to the default route. What you could do though is put in other
proxies for the other schools.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Passing Public IPs through multiple ASA's (Part 2) - Continued

This is the continuation of an issue posted on : https://supportforums.cisco.com/discussion/12463791/passing-public-ips-through-multiple-asas-part-1

Here is a Show Run from the 5510 (heavily filtered)
names
name 10.40.0.0 MCST-FW-Net
name 70.x.x.179 Masked_FW_Outside
name 70.x.x.185 Dummy description Placeholder for 182
name 10.40.128.25 EMAIL
name 10.40.0.4 OpenVPN
name 68.x.x.176 NEW_WAN
name 10.39.0.2 CORE-ASA
name 70.x.x.224 PublicIPs
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 68.x.x.178 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.40.0.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
boot system disk0:/asa825-13-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name MASKED
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TCP-Services tcp
port-object eq 10101
port-object eq 123
port-object range 15000 19999
port-object eq 2000
port-object eq 2195
port-object eq 2196
port-object eq 5038
port-object eq 5061
port-object eq 5228
port-object eq 5229
port-object eq 5230
port-object eq 5432
port-object eq h323
port-object eq www
port-object eq https
port-object eq kerberos
port-object eq ldap
port-object eq ldaps
port-object eq sip
port-object eq smtp
port-object eq ssh
port-object eq citrix-ica
port-object eq 943
port-object eq pptp
port-object eq imap4
object-group service UDP-Services udp
port-object eq 1718
port-object eq 1719
port-object eq 2727
port-object eq 3478
port-object eq 4500
port-object eq 4520
port-object eq 4569
port-object eq 5000
port-object range 50000 54999
port-object range 60000 61799
port-object eq 88
port-object eq domain
port-object eq sip
port-object eq syslog
port-object eq ntp
port-object eq 1194
port-object eq 8888
object-group protocol VPN-Traffic
protocol-object esp
protocol-object ah
object-group service TCP-Services-Inbound
service-object esp
service-object tcp eq 5228
service-object tcp eq 5229
service-object tcp eq 5230
service-object tcp eq 5432
service-object tcp eq ssh
object-group service UDP-Services-Inbound udp
port-object eq 4500
port-object eq domain
port-object eq isakmp
object-group network test
network-object 10.40.0.2 255.255.255.255
object-group service DM_INLINE_UDP_2 udp
port-object eq 4500
port-object eq isakmp
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
object-group service DM_INLINE_TCP_2 tcp
group-object Samsung_TCP_Ports
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object MCST-FW-Net 255.255.0.0
network-object 70.x.x.160 255.255.255.224
object-group service DM_INLINE_SERVICE_1
service-object tcp eq 1701
service-object udp eq 4500
service-object udp eq isakmp
service-object udp eq ntp
service-object tcp eq www
object-group service DM_INLINE_SERVICE_2
service-object tcp eq https
service-object udp eq 1194
service-object udp eq 8080
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp eq https
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group network publicips
access-list inside_access_in extended permit ip PublicIPs 255.255.255.240 any
access-list inside_access_in extended permit ip host 70.x.x.225 any
access-list inside_access_in extended permit ip host 70.x.x.236 any
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group UDP-Services log
access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group TCP-Services log
access-list inside_access_in extended permit esp MCST-FW-Net 255.255.0.0 any log
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_UDP_2 log
access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_TCP_2 log
access-list inside_access_in extended permit icmp MCST-FW-Net 255.255.0.0 any log
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq 873 inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host OpenVPN any
access-list inside_access_in extended permit udp host 70.x.x.182 any eq 1194
access-list inside_access_in extended permit tcp host 70.x.x.182 any eq ssh
access-list inside_access_in extended permit ip host 70.x.x.231 any log
access-list inside_access_in extended permit ip host 70.x.x.232 any
access-list inside_access_in extended permit ip host 70.x.x.233 any log
access-list inside_access_in extended permit ip NEW_WAN 255.255.255.248 interface inside inactive
access-list inside_access_in extended deny ip any any log
access-list inside extended permit tcp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group TCP-Services
access-list inside extended permit udp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group UDP-Services
access-list outside extended permit udp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group UDP-Services
access-list outside extended permit tcp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group TCP-Services
access-list outside_access_in remark STEALTH RULE
access-list outside_access_in extended deny ip any host Masked_FW_Outside log
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
access-list outside_access_in extended permit ip any host 70.x.x.225
access-list outside_access_in extended permit ip any host 70.x.x.231 log
access-list outside_access_in extended permit ip any host 70.x.x.232
access-list outside_access_in extended permit ip any host 70.x.x.233 log
access-list outside_access_in extended permit ip any host 70.x.x.236 log
access-list outside_access_in extended permit esp any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any 70.x.x.160 255.255.255.224
access-list outside_access_in extended permit udp any host 70.x.x.182 eq 1194
access-list outside_access_in extended permit tcp any host 70.x.x.182 eq ssh
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any host 10.40.0.33 inactive
access-list outside_access_in extended permit tcp any 70.x.x.160 255.255.255.224 object-group TCP-Services inactive
access-list outside_access_in extended permit udp any 70.x.x.160 255.255.255.224 object-group UDP-Services inactive
access-list outside_access_in extended permit ip PublicIPs 255.255.255.240 NEW_WAN 255.255.255.248 inactive
access-list outside_access_in extended deny ip any any log
access-list Mobility_Infrastructure_access_in remark Ping Test
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit esp any object-group DM_INLINE_NETWORK_1 log
access-list inside_access_out extended permit icmp any any
access-list Inside2_access_in extended permit ip 10.39.0.0 255.255.255.0 any
access-list Inside2_access_in extended permit ip any 10.39.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor informational
logging buffered debugging
logging trap informational
logging history critical
logging asdm warnings
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 70.x.x.182 10.40.0.7 netmask 255.255.255.255
static (inside,outside) 70.x.x.180 10.40.0.2 netmask 255.255.255.255
static (inside,outside) 70.x.x.181 10.40.0.17 netmask 255.255.255.255
static (outside,inside) 10.40.0.7 70.x.x.182 netmask 255.255.255.255
static (outside,inside) 10.40.0.2 70.x.x.180 netmask 255.255.255.255
static (outside,inside) 10.40.0.17 70.x.x.181 netmask 255.255.255.255
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 68.101.41.177 1
route inside 10.40.64.0 255.255.192.0 10.40.0.17 1
route inside 10.40.128.0 255.255.192.0 10.40.0.17 1
route inside 10.50.0.0 255.255.255.0 10.40.0.21 1
route inside 10.50.0.11 255.255.255.255 10.40.0.21 1
route inside 10.50.112.0 255.255.255.0 10.40.0.21 1
route inside 10.60.0.233 255.255.255.255 10.40.0.21 1
route inside PublicIPs 255.255.255.224 10.40.0.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 10
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
service-type nas-prompt
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bd962a8c0dd6b27b5b024778602f8b60
: end

SRP547W, How to use multiple WAN IPs for port forwarding?

Hi folks,
We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
a.b.c.208     Network Address (/29 subnet)
a.b.c.209     ISP Gateway
a.b.c.210     IP1
a.b.c.211     IP2
a.b.c.212     IP3
a.b.c.213     IP4
a.b.c.214     IP5
a.b.c.215     Broadcast Address
On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
VLAN ID:               4088 (Uneditable)
Connection Type:       Static IP
Internet IP Address:   a.b.c.210
Subnet Mask:           255.255.255.248
Default Gateway:       a.b.c.209
The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
VLAN ID:               4000 (Chosen arbitrarily)
Connection Type:       Static IP
Internet IP Address:   a.b.c.211
Subnet Mask:           255.255.255.248
Default Gateway:       a.b.c.209
When we try to do so however we get:
Fail!
Conflict with Ether_WAN2 interface address type
I should mention at this point that we're running on firmware version 1.02.01 (023).
Any suggestions on how we can proceed?
Is there a CLI or other method of configuration that might work if the web interface won't?
Thanks,
Tim.

OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
VLAN ID:               4088 (Uneditable)
Connection Type:       Static IP
Internet IP Address:   a.b.c.210
Subnet Mask:           255.255.255.248
Default Gateway:       a.b.c.209
We'd now like to expose a server function on IP2, let's say LAN details for this server are:
VLAN:                  3000
VLAN IP Range:         192.168.1.1/24
Server IP:             192.168.1.10
Server Port:           80
So first we turn on Software DMZ:
Status:                Enabled
Public IP:             a.b.c.211
Private IP:            192.168.1.10
WAN Interface:         Ether_WAN2
My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
In Interface (WAN):    All
Out Interface (LAN):   VLAN.3000
Source IP:             0.0.0.0
Source Subnet:         0.0.0.0
Destination IP:        192.168.1.10
Destination Subnet:    255.255.255.255
Protocol:              TCP
Source Port:           Any
Destination Port:      Single:80
Action:                Permit
Schedule:              Everyday
Times:                 24 Hours
Still no dice. What am I missing?
Cheers,
Tim.

Windows 2008 Server contacting multiple public IP on port 80 and 443

Windows 2008 Server contacting multiple public IP on port 80 and 443
Source : Microsoft Lync 2010
Port : 80
Destination : unknown.prolexic.com
Source : Internet Explorer
Port : 80
Destination :a-0001.a-msedge.net
Source : Internet Explorer
Port : 443
Destination :204.79.197.200
Is this virus? how to stop the same?

Org name of the IP shows Microsoft Corporation
Since its hits on firewall , i will have to stop the same
but not sure for what its being contacted to these Ips
OrgName: Microsoft Corporation

IP Mapping? [Public IPs inside LAN?] - E4200

Hi All,
I'm just wondering if anyone knows anything about IP Mapping - i.e. enabling machines inside the LAN to use public IP addresses?
I'm wondering if it might be possible to do this with an E4200? [example case: ISP allocates a pool of statics, E4200 WAN interface takes the first; could it be configured for some of the machines on its LAN interface(s) to use other public IPs from the allocated pool (and be fully contactable)?]
Many thanks for any advice you can offer,
Rob.

Hello Rob! I totally agree with FurryNutz. Check the E4200's user manual first for the IP address mapping feature. You can also use an IP mapping tool that's available online but can't guarantee if it will work. Searching for answers may take a long time but once you have it, it's worth it.
Help, learn and share

RV220W - port redirection/access rules with multiple WAN IPs

I've just installed a Cisco RV220W - which works fine for outbound traffic, however for inbound it seems unable to work with multiple WAN IPs.
We have a block of 6 WAN IPs assigned to us by our ISP, and I want to make use of all of them to expose certain ports on our servers to the outside world.
I've tried to do this with Access Rules (using HTTP as an example) with the following settings:
Connection Type: Inbound (WAN (Internet) > LAN (Local Network))
Action: Always Allow
Service: HTTP
Source IP: Single Address
Start: <one of the WAN IPs>
Send to Local Server (DNAT IP): <IP of the internal server>
Use Other WAN (Internet) IP Address: disabled
Rule Status: Enabled
Yet the server/port remains inaccessible.
I've tried:
rebooting the server with a power off/on again
implementing the same settings in port forwarding
triple-checking all IP addresses being used
The only way I've got it working is by changing the access rule so that it applies to any source address rather than one specific one... however that's not a solution for us as we need to use specific IP addresses for specific internal servers/ports.
The router's admin interface certainly suggests this should be possible, however making use of it seems to break all incoming access!
Any suggestions welcome.

You should be using "ANY" as the source IP, as you are publishing your internal server to the internet and internet means the request comes from any source IP (you don't know what it is, so it will be any.
Basically, you want any source IP to hit one of your WAN IPs on port 80, and then your firewall will redirect that request to the internal server's private IP address on same port 80. And when the response comes back from the internal server, the firewall will already have this translate entry in it so the reverse NAT will happen (you don't need configure this, it is default firewall feature).
I hope I have answered your question well.
Please mark as correct if you like the response.
Thanks

Multiple SMTP ports on one GWIA??

We currently are running SMTP on port 25 in GWIA and I have no intention of changing that, for obvious reasons. However, one of the big residential network providers in the area (AT&T/Bellsouth) has a policy of blocking traffic to port 25 on their network to anything but their own server, at least for residential accounts. Due to some of what I'll call legacy issues, we have a good number of users who are just using POP3/IMAP and want to be able to check their mail from home.
What I'd really like to do is to make another SMTP port available, say 26, which would get around Bellsouth's block. (I know that should work; I also have Bellsouth at home and use port 26 with another domain provider that I use personally.) In the GWIA properties on GroupWise > Network Address, however, it looks like I can only set one SMTP port. In this case, it would even work if the second port required SSL, but while separate ports seem to be available for POP, IMAP and LDAP they aren't available for SMTP. I've been telling users to just use the GWWA we have set up, but some of the big shots in the company want to use browsers on tablets that don't like the GWWA, so it'd be really nice if I could just get them to work with SMTP even when they're at home and on Bellsouth.
Any suggestions for how I can get GWIA to listen for SMTP on two ports, 25 and some other port, whether or not that other port requires SSL or not? Is there some manual config file I can override the default ConsoleOne settings with? If there are any recommended tricks I'd love to hear 'em... thanks in advance!
topher

In short, you can't - it is an enhancement request that I and others
have had for some time...
On the other hand if you create a second GWIA, change that so that it
listens on 587 (SMTP Submission Port) with SSL Required and then have
it relay out via your other GWIA you will achieve what you want.
However, please PLEASE ensure that the POP, IMAP and SMTP all have the
SSL set to required so that your users do not send user names and
passwords in clear
Thanks
On Wed, 30 Nov 2011 18:06:01 GMT, toforama
<[email protected]> wrote:
>
>We currently are running SMTP on port 25 in GWIA and I have no intention
>of changing that, for obvious reasons. However, one of the big
>residential network providers in the area (AT&T/Bellsouth) has a policy
>of blocking traffic to port 25 on their network to anything but their
>own server, at least for residential accounts. Due to some of what I'll
>call legacy issues, we have a good number of users who are just using
>POP3/IMAP and want to be able to check their mail from home.
>
>What I'd really like to do is to make another SMTP port available, say
>26, which would get around Bellsouth's block. (I know that should work;
>I also have Bellsouth at home and use port 26 with another domain
>provider that I use personally.) In the GWIA properties on GroupWise >
>Network Address, however, it looks like I can only set one SMTP port.
>In this case, it would even work if the second port required SSL, but
>while separate ports seem to be available for POP, IMAP and LDAP they
>aren't available for SMTP. I've been telling users to just use the GWWA
>we have set up, but some of the big shots in the company want to use
>browsers on tablets that don't like the GWWA, so it'd be really nice if
>I could just get them to work with SMTP even when they're at home and on
>Bellsouth.
>
>Any suggestions for how I can get GWIA to listen for SMTP on two ports,
>25 and some other port, whether or not that other port requires SSL or
>not? Is there some manual config file I can override the default
>ConsoleOne settings with? If there are any recommended tricks I'd love
>to hear 'em... thanks in advance!
>
>topher

How to Configure Cisco ASA 5512 for multiple public IP interfaces

Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/help

I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick

Trouble opening single port for two local IPs

Hey,
I have multiple computers on my Airport network and want to open Port 6112 on a couple of them. I have been able to in previous versions of Airport Utility, but seem to be unable in this one (I haven't attempted to do this for about a year, so the current layout of port mapping could be a few versions old)
Basically I want to open port 6112 on the local IP adresses: 10.0.1.2 and 10.0.1.7
I have been unable as Airport Utility claims that the port mapping entry already exists. But really it exists only on one of the IP adresses, (10.0.1.7) and the other remains closed (10.0.1.2).
Anyone able to help me out?

You can only map any port to a single IP address.
To get to the 2nd IP address you will need to use a different public port. For example map public port 8112 (instead of 6112) to private port 6112 to your 2nd IP address.

Multiple Public IP's on ASA 5520

Hi,
I have ASA 5520 with Ver 8.2.
Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.
There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.
I did Static NAT 198.24.210.226 to 192.168.1.20 and 198.24.210.227 to 192.168.1.91.
When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.
I checked the inside traffic, it even did not get into the firewall.
Is this the problem with ISP's router? How can we route all of our public IP's to the outside interface(198.24.210.226)?
interface GigabitEthernet0/1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
interface GigabitEthernet0/0
nameif outside
ip address 198.24.210.226 255.255.255.248
security-level 0
no shutdown
route outside 0.0.0.0 0.0.0.0 198.24.210.225
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 198.24.210.226 255.255.255.255
static (inside,outside) tcp 198.24.210.226 3389 192.168.1.10 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.226 9070 192.168.1.10 9070 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 3389 192.168.1.20 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp 198.24.210.227 80 192.168.1.20 80 netmask 255.255.255.255 dns
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.226 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
access-group OUTSIDE-IN in interface outside

Also,
You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.
You can naturally check the following
show run sysopt
Check that you DONT have the following
sysopt noproxyarp outside
At the moment you are not actually configuring Static NAT but rather Static PAT.
You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.
Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.
If you wanted to staticly assing public IPs to both of these servers you could do
static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255
static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.228 eq 9070
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 3389
access-list OUTSIDE-IN extended permit tcp any host 198.24.210.227 eq 80
- Jouni

SMTP Port # for use in hotels etc

Ive tried various methods and have webmail enabled but wondering if there is a recommended alternate port user's can input into entourage/mail when in a hotel or something where 25 is blocked. What's a recommended way to change it or add it on there Xserve? (10.4.x)
Currently I used a relay on another port but want to get rid of that.
Thanks

Your client can use ANY port the server is configured to use.
By default, OS X Server mail only accepts smtp on port 25.
If you are using OS X Server as your SMTP, you can enable other ports (any unused port like 2525, 5000, 587, 5555 etc etc etc) by modifying master.cf
If you want to enable another port with the same options as port 25, find this line:
smtp inet n - n - - smtpd
Add another below it
587 inet n - n - - smtpd
Above will enable port 587.
Be sure to map the port in your router.
Then issue:
suso postfix reload
You can test a connection by issuing:
telnet mail.domain.com 587
If you receive a postfix greeting, it worked.
You can use master.cf to control what is allowed on each port.
On my server, I have port 587 set to ONLY accept mail with SMTP Authentication, not even for local delivery.
Port 25 is configured to ONLY accept mail for local delivery, and never allows relay, not even with SMTP Authentication.
Jeff

Mailserver using non-standard smtp port

how do i set SMTP to accept connections on a non-standard port (i.e. 2525 or something)?
i'm running a mail server and my residential isp (comcast) after ten years of peaceful coexistence decided that they need to block port 25. so i am setting up a commercial store/forward mail relay service. all i need to do is set up my snow leopard server to accept incoming connections on a port other than 25. sounds easy. it is mentioned in the docs thusly:
"By default SMTP is enabled on port 25. If port 25 is blocked in your environment,
you need to change the port SMTP uses."
... but that's all i can find. specifically, it doesn't say exactly how to change the port.
any help appreciated.

following up to my own post. hoping this info may be useful for others who face the same issue who are running a server and then having email ports blocked by their ISP's.
i worked around this by signing up for a mail relay service (i use the one provided by dnydns.com). they forward incoming mail for my domain over a nonstandard port.
since i never received an answer to my question about how to make SnowLeopardServer email server accept SMTP connections on other ports, i simply used port mapping in my router (Airport Extreme) to redirect this port (i used 2525) on my WAN address to port 25 on my server - an acceptable workaround.
i also did the same port redirection for the other "standard alternative" smtp ports, 465 and 587.
since my ISP blocks port 25 in both directions, i also needed to find a work-around for outgoing mail as well. previously, my mail server simply forwarded to my ISP's smtp server (using the default port 25). here the Server Admin interface worked but with one "trick": under Mail>Settings>General, i left the box for "Relay outgoing mail through host:" checked, and in the field there i put "[smtp.myispdomain.net]:587" (that is with square brackets, and a colon, but no double-quotes - and of course, use your own smtp server's domain name). afaik this is not documented anywhere in the apple-provided docs, but i found the corresponding docs for postfix, and reverse-engineered it.
so now i can read (via IMAP) and send (via SMTP) mail from my home server, both when i am on my LAN and when i am accessing remotely, and effectively work around the bi-directional block of port 25 imposed by my ISP.
i'd still like to know if there is a method of configuring smtp to accept connections on ports other than 25. i can see how to do it by editing /etc/postfix/master.cf, but afaik that file gets overwritten by Server Admin...

Map SMTP port on multiple Public IPs to single private IP.

Similar Messages

Maybe you are looking for