On 1/3/06, Chuck Mariotti <cmariotti at xunity dot com> wrote:
> I would like to only open ports that are needed (of course).
> I have two network cards, one public (eg. 126.96.36.199 -> 162) , one
> private (eg. 10.10.10.1 -> 254)... (not my real IP addresses, just
> Firewall has two IP addresses 188.8.131.52 and 10.10.10.1...
> I have setup Server NAT... have all the public IP addresses listed
server NAT is just over complicating things. Use 1:1, you seem to
have sufficient public IP's for all the servers involved. That's more
than likely how you had the PIX set up ('static (inside,outside)
...'), otherwise you would have ended up with an even more complex
> I have one Proxy ARP entry which specifies the whole Public IP Address
> Range (not sure I need this, or if this is right, see below).
> 1. Email / SMTP
> I am running Exchange 2003... The SMTP server should be publically
> known as 184.108.40.206 and internally has 10.10.10.140 ... I have an
> Inbound Firewall rule setup for Port 25... All inbound email seems to be
> getting in (limited testing seems to work). However, this is where
> things get odd and I need a solution. Outbound messages are sent, but
> are using the public IP 220.127.116.11 (the firewall address) instead
> of .140 (the mailserver address). I
> basically need a 1:1 mapping, but I only want SMTP traffic...
enter the 1:1 rules, then enter the appropriate firewall rules.
> 2. FTP
this might be of some help. http://wiki.m0n0.ch/wikka.php?wakka=PasvFTP
> I did a 1:1 but that opened everything up for that
> external IP.
not unless your firewall rules say so. anything that isn't explicitly
permitted, under any circumstance, is denied. Just permit what you
One thing to keep in mind, the destination IP, unlike the PIX and many
other firewalls, will be the private IP of the server, not the public
IP. NAT applies first, then firewall rules. Also pay attention to
the source port, which isn't apparent (or available at all) for many
firewalls. Set this to any (or 1024-65535 if you're a stickler, the
ephemeral port range), not the same as the destination port.
In summary: Delete all the server NAT stuff you have in there now, add
1:1 NAT rules, and add firewall rules.