04-10-2010 06:15 AM
I have been trying to do port forwarding from untrust ip to trust ip on port 873. I have been doing alot of search and trying a couple of stuff.
I have added VIP from internet ip (firewall ip) as well in untrust interface to 192.168.3.200 (server which has the rsyncd).
Added service port src 0-65535 to dst port 873-873. Added policy from untrust any to trust vip.
where did i go wrong?
04-10-2010 06:59 AM
Have you tried to follow the below Resolution Guide.
04-10-2010 08:40 AM
tried to follow some KB steps. Still got no luck
04-10-2010 03:12 PM
I think this link might help you.
As you see the policy is a bit different as it stat that it is from Untrust to Untrust.
04-11-2010 07:02 AM
ok another unsuccessful attempt.
My 192.168.3.200 is a windows server with port 873 open. This falls under trust interface of 192.168.3.1 on ethernet3 trust
My firewall is on 22.214.171.124 address and its interface address is 126.96.36.199 on ethernet2 untrust
I am just intending to allow external user to access 188.8.131.52 port 873 which is a service hosted within my network 192.168.3.200
Anyone can advise please.
04-11-2010 11:28 AM
If you use the untrust interface IP tor access to an internal host you have to use VIP.
There is a guide in the NAT resolution Guide for this.
If you are still unsuccesfull the best way to troubleshoot the issue is doing debuging.
For debugging you have to go through the following steps.
First you setup a flowfilter to record only the traffic you need to debug.
set ff src-ip xx.xx.xx.xx dst-ip yy.yy.yy.yy
set ff src-ip yy.yy.yy.yy dst-ip xx.xx.xx.xx
debug flow basic - activates debugging
clear db - clears the debug memory in case it should contain information from a previous debug
Now the firewall records what traffic that matches the flowfilter.
get db stream - Gets the content from the debug buffer.
If you want to save the debug information it can be send to a tftp-server.
get db stream > tftp zz.zz.zz.zz debugfile.txt
The debug can be stopped with undebug all
The output will give you information as to what the firewall does with the traffic.
If you are having trouble interpreting the output you are welcome to post the output.
Alternatively you can post your firewall config for review
04-16-2010 06:33 AM
to make it simple....edit this
set interface ethernet0/4 vip interface-ip 80 "HTTP" 192.168.13.30
set policy id 5 from "Untrust" to "Trust" "Any" "VIP(ethernet0/4)" "HTTP" permit log