Solved

setup port redirection in pix 525

Posted on 2007-11-30
7
716 Views
Last Modified: 2013-11-16
hi all
i have pix 525 and i want to use port redirection ( i have one public ip address and 2 webserver and 1 ftp server and 1 telnet server and 1 dns server)
outside ip address X.X.34.3
inside address range 10.1.1.254
webserver ip address 10.1.1.10
webserver2 ip address 10.1.1.2
ftp server ip address 10.1.1.3
telnet server ip address 10.1.1.4
dns server ip address 10.1.1.5
i made this command

pix(config)#interface outside X.X.34.3 255.255.255.192
pix(config)#interface inside 10.1.1.1 255..0.0.0
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53

my question is
is that command true or not (do i need use nat) or not
can i use 2 dns server and how i can do pix configuration for this
do i need access list command for this or not
and when i want to enter remote desktop  to any server what is ip address i write in ip address box

thanks
0
Comment
Question by:nasemabdullaa
  • 4
  • 2
7 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20381018
the commands syntax is ok but you cannot do port redirects for same port on diff servers.  hope this answere your intial 2 queries

regarding your last query also there is a condition as above and you will require to open specific port for one specific server. Probably from there you can try connecting to other servers.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 400 total points
ID: 20384474
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port.

@nasem
     your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.3 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.4 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.5 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.5 53


     yes, you need access-list to allow the port traffic coming to outside interface

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 8080
access-list outside_access_in permit tcp any interface outside eq 21
access-list outside_access_in permit tcp any interface outside eq 23
access-list outside_access_in permit tcp any interface outside eq 53
access-list outside_access_in permit udp any interface outside eq 53

"when i want to enter remote desktop  to any server what is ip address i write in ip address box"
in above config, no RDP static exists, but you can do the following

pix(config)#static (inside,outside) tcp interface 3390 10.1.1.10 3389
pix(config)#static (inside,outside) tcp interface 3391 10.1.1.2 3389
pix(config)#static (inside,outside) tcp interface 3392 10.1.1.3 3389
pix(config)#static (inside,outside) tcp interface 3393 10.1.1.4 3389
pix(config)#static (inside,outside) tcp interface 3394 10.1.1.5 3389

object-group service RDP tcp
port-object range 3390 3394
access-list outside_access_in permit tcp any interface outside object-group RDP

so when you type to remote desktop  x.x.34.3:3390 it will go to 10.1.1.10, x.x.34.3:3391 to 10.1.1.2 and so on

Regards



0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20387199
husy is right....missed the ACL part :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:nasemabdullaa
ID: 20387824
hi
thanks for your reply
>>>your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
i have 5 server in my network and all connect to switch and the out of pix connect to same switch
iam redirect each port for each server (can i do that)
and what command must i add to PIX

must i change this command  or not
pix(config)#interface inside 10.1.1.1 255..0.0.0

thanks
0
 
LVL 8

Assisted Solution

by:charan_jeetsingh
charan_jeetsingh earned 100 total points
ID: 20388059
husy :
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port. >> this was something specific to the 2 DNS servers :)

@naseem
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0 >> not required  .

for your statics being wrong >>
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
>> should be : static (inside,outside) tcp interface 21 10.1.1.3 21

pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
>> should be : static (inside,outside) tcp interface 21 10.1.1.4 23

pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
>> should be : static (inside,outside) tcp interface 21 10.1.1.5 53

pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
>> should be : static (inside,outside) udp interface 21 10.1.1.5 53
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 400 total points
ID: 20388271
charan:
this was something specific to the 2 DNS servers :)
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
                                                        ^                                      ^
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
                                                         ^                                      ^
;)

nasem:
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0
   In CLI, if you can ping 10.1.1.10 with following command
     ping inside 10.1.1.10
  then you dont need to change anything




0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20388575
:)... ok i must have been more specific... again my mistake... i shoud hav told one port for a protocol. :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now