setup port redirection in pix 525

hi all
i have pix 525 and i want to use port redirection ( i have one public ip address and 2 webserver and 1 ftp server and 1 telnet server and 1 dns server)
outside ip address X.X.34.3
inside address range 10.1.1.254
webserver ip address 10.1.1.10
webserver2 ip address 10.1.1.2
ftp server ip address 10.1.1.3
telnet server ip address 10.1.1.4
dns server ip address 10.1.1.5
i made this command

pix(config)#interface outside X.X.34.3 255.255.255.192
pix(config)#interface inside 10.1.1.1 255..0.0.0
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53

my question is
is that command true or not (do i need use nat) or not
can i use 2 dns server and how i can do pix configuration for this
do i need access list command for this or not
and when i want to enter remote desktop  to any server what is ip address i write in ip address box

thanks
nasemabdullaaAsked:
Who is Participating?
 
Alan Huseyin KayahanConnect With a Mentor Commented:
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port.

@nasem
     your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.3 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.4 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.5 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.5 53


     yes, you need access-list to allow the port traffic coming to outside interface

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 8080
access-list outside_access_in permit tcp any interface outside eq 21
access-list outside_access_in permit tcp any interface outside eq 23
access-list outside_access_in permit tcp any interface outside eq 53
access-list outside_access_in permit udp any interface outside eq 53

"when i want to enter remote desktop  to any server what is ip address i write in ip address box"
in above config, no RDP static exists, but you can do the following

pix(config)#static (inside,outside) tcp interface 3390 10.1.1.10 3389
pix(config)#static (inside,outside) tcp interface 3391 10.1.1.2 3389
pix(config)#static (inside,outside) tcp interface 3392 10.1.1.3 3389
pix(config)#static (inside,outside) tcp interface 3393 10.1.1.4 3389
pix(config)#static (inside,outside) tcp interface 3394 10.1.1.5 3389

object-group service RDP tcp
port-object range 3390 3394
access-list outside_access_in permit tcp any interface outside object-group RDP

so when you type to remote desktop  x.x.34.3:3390 it will go to 10.1.1.10, x.x.34.3:3391 to 10.1.1.2 and so on

Regards



0
 
charan_jeetsinghCommented:
the commands syntax is ok but you cannot do port redirects for same port on diff servers.  hope this answere your intial 2 queries

regarding your last query also there is a condition as above and you will require to open specific port for one specific server. Probably from there you can try connecting to other servers.
0
 
charan_jeetsinghCommented:
husy is right....missed the ACL part :)
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
nasemabdullaaAuthor Commented:
hi
thanks for your reply
>>>your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
i have 5 server in my network and all connect to switch and the out of pix connect to same switch
iam redirect each port for each server (can i do that)
and what command must i add to PIX

must i change this command  or not
pix(config)#interface inside 10.1.1.1 255..0.0.0

thanks
0
 
charan_jeetsinghConnect With a Mentor Commented:
husy :
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port. >> this was something specific to the 2 DNS servers :)

@naseem
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0 >> not required  .

for your statics being wrong >>
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
>> should be : static (inside,outside) tcp interface 21 10.1.1.3 21

pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
>> should be : static (inside,outside) tcp interface 21 10.1.1.4 23

pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
>> should be : static (inside,outside) tcp interface 21 10.1.1.5 53

pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
>> should be : static (inside,outside) udp interface 21 10.1.1.5 53
0
 
Alan Huseyin KayahanConnect With a Mentor Commented:
charan:
this was something specific to the 2 DNS servers :)
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
                                                        ^                                      ^
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
                                                         ^                                      ^
;)

nasem:
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0
   In CLI, if you can ping 10.1.1.10 with following command
     ping inside 10.1.1.10
  then you dont need to change anything




0
 
charan_jeetsinghCommented:
:)... ok i must have been more specific... again my mistake... i shoud hav told one port for a protocol. :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.