Firewall/NAT

Hi guys, I'm building a monowall box to replace our somewhat flaky pix 506e (manufacturing defect ), I've got it mostly working, from the inside you can use the net with no issues however we have several servers in the office and I need them to be accessible from outside so I've setup 1:1 nat rules for each server and this seems to work perfectly *but* when I try and set a rule to allow traffic on the relevant ports in it will *only* work if i allow traffic on all ports!

1:1 nat mapping's look something like this

Interface     External IP        Internal IP       Description
 WAN          <public IP>/32    10.0.0.10/32        TPDP3

And the logs show any traffic coming into the public IP gets routed to the internal address

However when i add a rule to allow ssh access to the box in question it blocks access
(TPDP3Int is an alias for 10.0.0.10)

Proto     Source     Port     Destination        Port      Description
 TCP      *            22 (SSH)   TPDP3Int          22 (SSH)      SSH on TPDP3

But it works if i set both source and dest port to any

Proto     Source    Port     Destination     Port     Description
 TCP      *            *        TPDP3Int      *        SSH on TPDP3

What am I missing ?

What you are missing is that you can not specify a source port in this situation. They are chosen at random from within some range and not predictable. The only workable value is 'any'. Do not specify 'any' for the destination port. 22 is the correct value there.

Here's your correct rule:


Proto     Source    Port     Destination     Port     Description
 TCP         *          *         TPDP3Int        22        SSH on TPDP3

That got it!

Thinking a little too cisco-centricly there i think

Ta muchly!