[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

setup port redirection in pix 525

Posted on 2007-11-30
7
Medium Priority
?
750 Views
Last Modified: 2013-11-16
hi all
i have pix 525 and i want to use port redirection ( i have one public ip address and 2 webserver and 1 ftp server and 1 telnet server and 1 dns server)
outside ip address X.X.34.3
inside address range 10.1.1.254
webserver ip address 10.1.1.10
webserver2 ip address 10.1.1.2
ftp server ip address 10.1.1.3
telnet server ip address 10.1.1.4
dns server ip address 10.1.1.5
i made this command

pix(config)#interface outside X.X.34.3 255.255.255.192
pix(config)#interface inside 10.1.1.1 255..0.0.0
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53

my question is
is that command true or not (do i need use nat) or not
can i use 2 dns server and how i can do pix configuration for this
do i need access list command for this or not
and when i want to enter remote desktop  to any server what is ip address i write in ip address box

thanks
0
Comment
Question by:nasemabdullaa
  • 4
  • 2
7 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20381018
the commands syntax is ok but you cannot do port redirects for same port on diff servers.  hope this answere your intial 2 queries

regarding your last query also there is a condition as above and you will require to open specific port for one specific server. Probably from there you can try connecting to other servers.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 1600 total points
ID: 20384474
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port.

@nasem
     your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.3 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.4 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.5 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.5 53


     yes, you need access-list to allow the port traffic coming to outside interface

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 8080
access-list outside_access_in permit tcp any interface outside eq 21
access-list outside_access_in permit tcp any interface outside eq 23
access-list outside_access_in permit tcp any interface outside eq 53
access-list outside_access_in permit udp any interface outside eq 53

"when i want to enter remote desktop  to any server what is ip address i write in ip address box"
in above config, no RDP static exists, but you can do the following

pix(config)#static (inside,outside) tcp interface 3390 10.1.1.10 3389
pix(config)#static (inside,outside) tcp interface 3391 10.1.1.2 3389
pix(config)#static (inside,outside) tcp interface 3392 10.1.1.3 3389
pix(config)#static (inside,outside) tcp interface 3393 10.1.1.4 3389
pix(config)#static (inside,outside) tcp interface 3394 10.1.1.5 3389

object-group service RDP tcp
port-object range 3390 3394
access-list outside_access_in permit tcp any interface outside object-group RDP

so when you type to remote desktop  x.x.34.3:3390 it will go to 10.1.1.10, x.x.34.3:3391 to 10.1.1.2 and so on

Regards



0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20387199
husy is right....missed the ACL part :)
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:nasemabdullaa
ID: 20387824
hi
thanks for your reply
>>>your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
i have 5 server in my network and all connect to switch and the out of pix connect to same switch
iam redirect each port for each server (can i do that)
and what command must i add to PIX

must i change this command  or not
pix(config)#interface inside 10.1.1.1 255..0.0.0

thanks
0
 
LVL 8

Assisted Solution

by:charan_jeetsingh
charan_jeetsingh earned 400 total points
ID: 20388059
husy :
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port. >> this was something specific to the 2 DNS servers :)

@naseem
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0 >> not required  .

for your statics being wrong >>
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
>> should be : static (inside,outside) tcp interface 21 10.1.1.3 21

pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
>> should be : static (inside,outside) tcp interface 21 10.1.1.4 23

pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
>> should be : static (inside,outside) tcp interface 21 10.1.1.5 53

pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
>> should be : static (inside,outside) udp interface 21 10.1.1.5 53
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 1600 total points
ID: 20388271
charan:
this was something specific to the 2 DNS servers :)
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
                                                        ^                                      ^
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
                                                         ^                                      ^
;)

nasem:
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0
   In CLI, if you can ping 10.1.1.10 with following command
     ping inside 10.1.1.10
  then you dont need to change anything




0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20388575
:)... ok i must have been more specific... again my mistake... i shoud hav told one port for a protocol. :)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month18 days, 8 hours left to enroll

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question