Solved

setup port redirection in pix 525

Posted on 2007-11-30
7
718 Views
Last Modified: 2013-11-16
hi all
i have pix 525 and i want to use port redirection ( i have one public ip address and 2 webserver and 1 ftp server and 1 telnet server and 1 dns server)
outside ip address X.X.34.3
inside address range 10.1.1.254
webserver ip address 10.1.1.10
webserver2 ip address 10.1.1.2
ftp server ip address 10.1.1.3
telnet server ip address 10.1.1.4
dns server ip address 10.1.1.5
i made this command

pix(config)#interface outside X.X.34.3 255.255.255.192
pix(config)#interface inside 10.1.1.1 255..0.0.0
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53

my question is
is that command true or not (do i need use nat) or not
can i use 2 dns server and how i can do pix configuration for this
do i need access list command for this or not
and when i want to enter remote desktop  to any server what is ip address i write in ip address box

thanks
0
Comment
Question by:nasemabdullaa
  • 4
  • 2
7 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20381018
the commands syntax is ok but you cannot do port redirects for same port on diff servers.  hope this answere your intial 2 queries

regarding your last query also there is a condition as above and you will require to open specific port for one specific server. Probably from there you can try connecting to other servers.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 400 total points
ID: 20384474
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port.

@nasem
     your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
pix(config)#static (inside,outside) tcp interface 80 10.1.1.10 80
pix(config)#static (inside,outside) tcp interface 8080 10.1.1.2 80
pix(config)#static (inside,outside) tcp interface 21 10.1.1.3 21
pix(config)#static (inside,outside) tcp interface 23 10.1.1.4 23
pix(config)#static (inside,outside) tcp interface 53 10.1.1.5 53
pix(config)#static (inside,outside) udp interface 53 10.1.1.5 53


     yes, you need access-list to allow the port traffic coming to outside interface

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 8080
access-list outside_access_in permit tcp any interface outside eq 21
access-list outside_access_in permit tcp any interface outside eq 23
access-list outside_access_in permit tcp any interface outside eq 53
access-list outside_access_in permit udp any interface outside eq 53

"when i want to enter remote desktop  to any server what is ip address i write in ip address box"
in above config, no RDP static exists, but you can do the following

pix(config)#static (inside,outside) tcp interface 3390 10.1.1.10 3389
pix(config)#static (inside,outside) tcp interface 3391 10.1.1.2 3389
pix(config)#static (inside,outside) tcp interface 3392 10.1.1.3 3389
pix(config)#static (inside,outside) tcp interface 3393 10.1.1.4 3389
pix(config)#static (inside,outside) tcp interface 3394 10.1.1.5 3389

object-group service RDP tcp
port-object range 3390 3394
access-list outside_access_in permit tcp any interface outside object-group RDP

so when you type to remote desktop  x.x.34.3:3390 it will go to 10.1.1.10, x.x.34.3:3391 to 10.1.1.2 and so on

Regards



0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20387199
husy is right....missed the ACL part :)
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:nasemabdullaa
ID: 20387824
hi
thanks for your reply
>>>your statics point to 10.1.1.1 which is your inside interface, it is wrong, they should be servers inside like
i have 5 server in my network and all connect to switch and the out of pix connect to same switch
iam redirect each port for each server (can i do that)
and what command must i add to PIX

must i change this command  or not
pix(config)#interface inside 10.1.1.1 255..0.0.0

thanks
0
 
LVL 8

Assisted Solution

by:charan_jeetsingh
charan_jeetsingh earned 100 total points
ID: 20388059
husy :
" you cannot do port redirects for same port on diff servers"
         above configuration already does not redirect same port. >> this was something specific to the 2 DNS servers :)

@naseem
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0 >> not required  .

for your statics being wrong >>
pix(config)#static (inside,outside) tcp interface 21 10.1.1.1 21
>> should be : static (inside,outside) tcp interface 21 10.1.1.3 21

pix(config)#static (inside,outside) tcp interface 23 10.1.1.1 23
>> should be : static (inside,outside) tcp interface 21 10.1.1.4 23

pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
>> should be : static (inside,outside) tcp interface 21 10.1.1.5 53

pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
>> should be : static (inside,outside) udp interface 21 10.1.1.5 53
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 400 total points
ID: 20388271
charan:
this was something specific to the 2 DNS servers :)
pix(config)#static (inside,outside) tcp interface 53 10.1.1.1 53
                                                        ^                                      ^
pix(config)#static (inside,outside) udp interface 53 10.1.1.1 53
                                                         ^                                      ^
;)

nasem:
must i change this command  or not
pix(config)#interface inside 10.1.1.1 255.0.0.0
   In CLI, if you can ping 10.1.1.10 with following command
     ping inside 10.1.1.10
  then you dont need to change anything




0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20388575
:)... ok i must have been more specific... again my mistake... i shoud hav told one port for a protocol. :)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to setup a Voice VLAN on a Cisco Meraki MS220-24 3 89
Network Router- Access control List 4 54
Firewall blocking images 4 40
Using VLAN Interface in ASA 5 22
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now