Solved

Is it possible to map one public IP to several internal IPs using a Netscreen-5GT Firewall

Posted on 2006-11-01
3
189 Views
Last Modified: 2013-11-16
Hello,

I am trying to setup a network that will have one external IP address that will serve several internal servers that need to be accessed from the internet.  

The theory is that the initial URL of www.mytestbed.com (public IP of 24.29.113.49) would point to one internal server - Auth01 (192.168.1.10), then all corresponding messages would go to www1.mytestbed.com - Prod01 (192.168.1.20), but using the same public IP address but different internal server.  Is this at all possible?  

Thanks in advance,
Marc
0
Comment
Question by:marcr69
  • 2
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 400 total points
Comment Utility
It sounds like you want to implement an HTTP redirect from your initial server at 192.168.1.10 to then go to 192.168.1.20 for all subsequent HTTP traffic.  If this is correct, then I do not believe you can do this with port redirection statements in the PIX since you cannot redirect a single public IP address to point to two different internal servers using the same destination port, in this case TCP 80.

However, it may be possible to have your initial server (192.168.1.10) to perform a redirect to the same public IP address, but a DIFFERENT destination port.  For example,

24.29.113.49:80  ->  24.29.113.49:8080

So, when someone surfs to www.mytestbed.com and they get directed to 24.29.113.49:80, the initial server will respond with a redirect pointing the web browser to 24.29.113.49:8080 which would then point to the second server since it would have TCP 8080 as the destination of the redirect.  The traffic would still arrive on the normal TCP 80 at the second server because of the construction of the static port redirect statement shown below.  Here are the commands you could try to see if this will work (I'm not sure because I've never done this before):

static (inside,outside) tcp 24.29.113.49 80 192.168.1.10 80 netmask 255.255.255.255
static (inside,outside) tcp 24.29.113.49 8080 192.168.1.20 80 netmask 255.255.255.255

You will also need to modify your ACL applied to your outside interface to allow traffic to the above ports.  For example,

access-list acl_in permit tcp any host 24.29.113.49 eq 80
access-list acl_in permit tcp any host 24.29.113.49 eq 8080

Give it a shot and see if it works!
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Never mind on the previous post...I just now read where you have a Netscreen firewall.  I wrote the previous answer for a Cisco PIX firewall.  So sorry!
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 100 total points
Comment Utility
Can't do what you're asking, for that you need to have some kind of redirection in your webserver itself. Can't do with both Cisco and Netscreen.

However if you want to access both the servers at the same time but just with one IP address, it is possible using VIP

Cheers,
Rajesh
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now