PIX Firewall Redirection to another Public IP

Hi All!

I have a PIX 501. I have a question of redirection:

Say my PIX has public IP address of 111.111.111.111. I want to forward everything received on port 1111 to another public IP 222.222.222.222 to the same port.

I know this must be possible, but just don't know how. I have two purposes:
1 - Can I do port forwarding in PIX like below:
static (inside,outside) tcp 111.111.111.111 1111 222.222.222.222 1111 netmask 255.255.255.255 0 0
But I think for PIX, data enters from one interface has to exit from another interface, so I doubt about this solution
2 - I'll perform port forwarding on the PIX to forward everything to its internal private host (say 10.10.10.10). From that host there, bridge the two NICs already installed in it to forward desired data to 222.222.222.222. This seems to more feasible, but might involve too much resources unless there are options 3 and 4.....

So please help me.

Thank you very much!
yeanlingsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
You absolutely, positively cannot do it on a PIX.
The "222.x.x.x" IP address absolutely must be on a different interface of the PIX.
Since you only have two interfaces on the 501, then that host would have to reside on your inside network.
Since your inside network is 10.10.10.x, then your only hope would be to map the outside interface public IP, port 1111 to an inside host, port 1111.
I have no idea how you could then, in turn, re-translate that back to another public IP/port and send out another interface... perhaps with linux ipchains/masquarade or something..
But then, how will the end-host of 222.222.222.222 ever respond to the original sending host? Not back through the linux box, back through the PIX. The port mapping will die.

If you could be more upfront about what exactly you are trying to do, we might be able to guide you to a solution.
billwhartonCommented:
I think a port redirector application sitting in your internal network should be able to do the job
something like this:
http://www.secureroot.com/security/tools/9671291952.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yeanlingsAuthor Commented:
I have many remote client programs need to send me data over IP (all the same program, so they send to the same port). We are planning to outsource this job (the data processing) to another company. Instead of going to each client program and change the destination IP address, we would like to do from our end, which is to redirect all the data to an IP address we want so we can even change the destination address in the future without too much work.

So basically, what I need is while my client sends me data, I will be able to forward it to another IP.

Thanks a million!
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

billwhartonCommented:
yeanlings

I understand your dilemma. I've come across situations like this and always advise clients to use a dynamic DNS solution to deploy and client-server solution. You could even get one for free at sites such as www.no-ip.com

Just something to consider.

Good luck and I hope we've answered your questions
yeanlingsAuthor Commented:
OK, thanks for all your help.

I have figured out the solution. I used a program called "NetworkActiv AUTAPF". This program monitors the specified ports and forward whatever is received to another IP address. This solved my problem.
billwhartonCommented:
A port redirector - good solution

If you're question has been answered, I request you to close the question and award points

Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.