yeanlings
asked on
PIX Firewall Redirection to another Public IP
Hi All!
I have a PIX 501. I have a question of redirection:
Say my PIX has public IP address of 111.111.111.111. I want to forward everything received on port 1111 to another public IP 222.222.222.222 to the same port.
I know this must be possible, but just don't know how. I have two purposes:
1 - Can I do port forwarding in PIX like below:
static (inside,outside) tcp 111.111.111.111 1111 222.222.222.222 1111 netmask 255.255.255.255 0 0
But I think for PIX, data enters from one interface has to exit from another interface, so I doubt about this solution
2 - I'll perform port forwarding on the PIX to forward everything to its internal private host (say 10.10.10.10). From that host there, bridge the two NICs already installed in it to forward desired data to 222.222.222.222. This seems to more feasible, but might involve too much resources unless there are options 3 and 4.....
So please help me.
Thank you very much!
I have a PIX 501. I have a question of redirection:
Say my PIX has public IP address of 111.111.111.111. I want to forward everything received on port 1111 to another public IP 222.222.222.222 to the same port.
I know this must be possible, but just don't know how. I have two purposes:
1 - Can I do port forwarding in PIX like below:
static (inside,outside) tcp 111.111.111.111 1111 222.222.222.222 1111 netmask 255.255.255.255 0 0
But I think for PIX, data enters from one interface has to exit from another interface, so I doubt about this solution
2 - I'll perform port forwarding on the PIX to forward everything to its internal private host (say 10.10.10.10). From that host there, bridge the two NICs already installed in it to forward desired data to 222.222.222.222. This seems to more feasible, but might involve too much resources unless there are options 3 and 4.....
So please help me.
Thank you very much!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have many remote client programs need to send me data over IP (all the same program, so they send to the same port). We are planning to outsource this job (the data processing) to another company. Instead of going to each client program and change the destination IP address, we would like to do from our end, which is to redirect all the data to an IP address we want so we can even change the destination address in the future without too much work.
So basically, what I need is while my client sends me data, I will be able to forward it to another IP.
Thanks a million!
So basically, what I need is while my client sends me data, I will be able to forward it to another IP.
Thanks a million!
yeanlings
I understand your dilemma. I've come across situations like this and always advise clients to use a dynamic DNS solution to deploy and client-server solution. You could even get one for free at sites such as www.no-ip.com
Just something to consider.
Good luck and I hope we've answered your questions
I understand your dilemma. I've come across situations like this and always advise clients to use a dynamic DNS solution to deploy and client-server solution. You could even get one for free at sites such as www.no-ip.com
Just something to consider.
Good luck and I hope we've answered your questions
ASKER
OK, thanks for all your help.
I have figured out the solution. I used a program called "NetworkActiv AUTAPF". This program monitors the specified ports and forward whatever is received to another IP address. This solved my problem.
I have figured out the solution. I used a program called "NetworkActiv AUTAPF". This program monitors the specified ports and forward whatever is received to another IP address. This solved my problem.
A port redirector - good solution
If you're question has been answered, I request you to close the question and award points
Thank you
If you're question has been answered, I request you to close the question and award points
Thank you
The "222.x.x.x" IP address absolutely must be on a different interface of the PIX.
Since you only have two interfaces on the 501, then that host would have to reside on your inside network.
Since your inside network is 10.10.10.x, then your only hope would be to map the outside interface public IP, port 1111 to an inside host, port 1111.
I have no idea how you could then, in turn, re-translate that back to another public IP/port and send out another interface... perhaps with linux ipchains/masquarade or something..
But then, how will the end-host of 222.222.222.222 ever respond to the original sending host? Not back through the linux box, back through the PIX. The port mapping will die.
If you could be more upfront about what exactly you are trying to do, we might be able to guide you to a solution.