?
Solved

setup port redirection in pix 525

Posted on 2007-11-30
7
Medium Priority
?
726 Views
Last Modified: 2013-11-16
hi all
i have pix 525 and i want to use port redirection ( i have one public ip address and 2 webserver and 1 ftp server and 1 telnet server and 1 dns server)
outside ip address X.X.34.3
inside address range 10.1.1.254
webserver ip address 10.1.1.10
webserver2 ip address 10.1.1.2
ftp server ip address 10.1.1.3
telnet server ip address 10.1.1.4
dns server ip address 10.1.1.5
i made this command

pix(config)#interface outside X.X.34.3 255.255.255.192
pix(config)#interface inside 10.1.1.1 255..0.0.0
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53

my question is
is that command true or not (do i need use nat) or not
can i use 2 dns server and how i can do pix configuration for this
do i need access list command for this or not
and when i want to enter remote desktop  to any server what is ip address i write in ip address box

thanks
0
Comment
Question by:nasemabdullaa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20381018
the commands syntax is ok but you cannot do port redirects for same port on diff servers.  hope this answere your intial 2 queries

regarding your last query also there is a condition as above and you will require to open specific port for one specific server. Probably from there you can try connecting to other servers.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 1600 total points
ID: 20384474
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port.

@nasem
     your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.3 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.4 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.5 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.5 53


     yes, you need access-list to allow the port traffic coming to outside interface

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 8080
access-list outside_access_in permit tcp any interface outside eq 21
access-list outside_access_in permit tcp any interface outside eq 23
access-list outside_access_in permit tcp any interface outside eq 53
access-list outside_access_in permit udp any interface outside eq 53

"when i want to enter remote desktop  to any server what is ip address i write in ip address box"
in above config, no RDP static exists, but you can do the following

pix(config)#static (inside,outside) tcp interface 3390 10.1.1.10 3389
pix(config)#static (inside,outside) tcp interface 3391 10.1.1.2 3389
pix(config)#static (inside,outside) tcp interface 3392 10.1.1.3 3389
pix(config)#static (inside,outside) tcp interface 3393 10.1.1.4 3389
pix(config)#static (inside,outside) tcp interface 3394 10.1.1.5 3389

object-group service RDP tcp
port-object range 3390 3394
access-list outside_access_in permit tcp any interface outside object-group RDP

so when you type to remote desktop  x.x.34.3:3390 it will go to 10.1.1.10, x.x.34.3:3391 to 10.1.1.2 and so on

Regards



0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20387199
husy is right....missed the ACL part :)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:nasemabdullaa
ID: 20387824
hi
thanks for your reply
>>>your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
i have 5 server in my network and all connect to switch and the out of pix connect to same switch
iam redirect each port for each server (can i do that)
and what command must i add to PIX

must i change this command  or not
pix(config)#interface inside 10.1.1.1 255..0.0.0

thanks
0
 
LVL 8

Assisted Solution

by:charan_jeetsingh
charan_jeetsingh earned 400 total points
ID: 20388059
husy :
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port. >> this was something specific to the 2 DNS servers :)

@naseem
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0 >> not required  .

for your statics being wrong >>
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
>> should be : static (inside,outside) tcp interface 21 10.1.1.3 21

pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
>> should be : static (inside,outside) tcp interface 21 10.1.1.4 23

pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
>> should be : static (inside,outside) tcp interface 21 10.1.1.5 53

pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
>> should be : static (inside,outside) udp interface 21 10.1.1.5 53
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 1600 total points
ID: 20388271
charan:
this was something specific to the 2 DNS servers :)
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
                                                        ^                                      ^
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
                                                         ^                                      ^
;)

nasem:
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0
   In CLI, if you can ping 10.1.1.10 with following command
     ping inside 10.1.1.10
  then you dont need to change anything




0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20388575
:)... ok i must have been more specific... again my mistake... i shoud hav told one port for a protocol. :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 14 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question