topic Re: ip redirect with PIX 515 in Network Security

ip redirect with PIX 515

teez007 — Mon, 11 Mar 2019 22:09:50 GMT

Hi,

I have a PIX 515 that i need to use as an ip redirector.

For example if users try to access 80.80.80.80 ,they need to be redirected to 90.90.90.90

It ist possible?

show ver,

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 000b.5fad.0c99, irq 10

1: Ext: Ethernet1 : address is 000b.5fad.0c9a, irq 11

Licensed features for this platform:

Maximum Physical Interfaces : 6

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Disabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.

thanks in advance for the help.

ip redirect with PIX 515

mirober2 — Wed, 04 Jan 2012 14:19:30 GMT

Hi Thuven,

You can use static NAT for this. See this page for more details and examples:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043190

-Mike

ip redirect with PIX 515

rizwanr74 — Wed, 04 Jan 2012 14:30:16 GMT

If your 90.90.90.90 is a locally connected segment you can use a static route as such below, assuming you have prior nat in placed for 80.80.80.80 (static nat)

route (inside or dmz ) 80.80.80.80 255.255.255.255 90.90.90.x

Thanks

Rizwan Rafeek.

ip redirect with PIX 515

teez007 — Thu, 05 Jan 2012 06:42:59 GMT

Hi,

both IPs are on the outside interface, i am trying to redirect users on my lan.

any ideas ?

ip redirect with PIX 515

mirober2 — Thu, 05 Jan 2012 13:12:41 GMT

Hi Thuven,

You can try something like this:

static (outside,inside) 80.80.80.80 90.90.90.90 netmask 255.255.255.255

When users on the inside try to access 80.80.80.80, the PIX will change the destination IP of the packet to be 90.90.90.90.

-Mike

ip redirect with PIX 515

rizwanr74 — Thu, 05 Jan 2012 14:19:21 GMT

I am not 100 percent sure exactly, what is that you are trying to accomplish.

Based on information you provided so far.

You said: "both IPs are on the outside interface, i am trying to redirect users on my lan."

I assume, that you have sub-interfaces ip addresses (two IPs) on the outside interface, if then you need a policy base nat.

Regular nat:...

access-list allow-nat-all extended permit ip 80.80.80.0 255.255.255.0 any

global (outside) 1 interface

nat (inside) 1 access-list allow-nat-all

Policy nat:...

access-list allow-nat-specific extended permit ip host 80.80.80.80 host 90.90.90.90

global (outside) 2 xxx.xxx.xxx.xxx

nat (inside) 2 allow-nat-specific

Let me know, if this is what you want to.

Thanks

Rizwan Rafeek

Re: ip redirect with PIX 515

teez007 — Fri, 06 Jan 2012 07:05:21 GMT

thanks Mike and Rizwanr,

L ---[PIX]---- {Internet }

OK, think i should try and explain it a bit better,

L = LAN

A = 80.80.80.80

B = 90.90.90.90

So if the LAN users try to access A, they should be redirected to B.

Hope this helps,

Mike, if i use the static nat you suggested, 90.90.90.90 would need to reside on the LAN (right ?)

Re: ip redirect with PIX 515

mirober2 — Fri, 06 Jan 2012 13:07:31 GMT

Hi Thuven,

The diagram didn't get formatted very well so I'm not sure if I understand. However, using the static NAT I suggested would meet the written requirements you have (users trying to access A would be redirected to B).

In this case, only B is the real host that lives on the Internet. You can think of A as just a virtual IP address that the PIX will do a translation for. If the PIX receives a packet destined for A on the LAN interface, it will just re-write the destination of the packet to B and send it on based on the routing table.

-Mike

Re: ip redirect with PIX 515

rizwanr74 — Fri, 06 Jan 2012 14:07:42 GMT

Thuven and Mike,

The requirement is that traffic is initiated from the LAN but not from the Internet-Users, therefore static-nat is out of the question.

If Thuven’s PIX has one leg (i.e. physical interface) facing the ISP’s circuit then there is only one route on the PIX takes all unknown traffic to destination to Default-Gateway (i.e. default route) on PIX.

If otherwise Thuven’s PIX has two ISP circuits facing the Internet (i.e. physical or sub-interface) then a policy-base NAT will do the trick.

Re: ip redirect with PIX 515

teez007 — Mon, 09 Jan 2012 07:02:46 GMT

Hi,

Sorry for the late reply,

the pix has only 1 interface to the internet,

ok, so the users can access anything but if they try to access 80.80.80.80 they should be redirected to 90.90.90.90.(Both IPs live on the internet).

hope this helps more.

i will try and draw a more detailed diagram.

Re: ip redirect with PIX 515

rizwanr74 — Mon, 09 Jan 2012 17:00:47 GMT

You cannot influence how your ISP transmits internet bound traffic on their network.
Since you do not have a next hop address pointing to 90.90.90.90, you cannot redirect traffic to 90.90.90.90 but to your default gateway only.

However if you own the IP (i.e. 90.90.90.90) and it is accessible on your circuit then you will be able to do a policy-nat, other than that there is nothing you can do, with limited internet circuit on the PIX outside interface.

Re: ip redirect with PIX 515

teez007 — Tue, 10 Jan 2012 08:45:33 GMT

so that means a PIX can inspect a packet and change the destination from IP to another on the WWW ?

Re: ip redirect with PIX 515

rizwanr74 — Tue, 10 Jan 2012 14:21:24 GMT

As far as I know, you can change next-hop address and in your case there is only one next hop, i.e. default-gateway pointing all unknown traffic to single destination, ISP gateway.

Take care.

Thanks

Rizwan Rafeek