topic Re: Static "interface" command clarification in Network Security

Static "interface" command clarification

Armegeden — Mon, 11 Mar 2019 13:28:23 GMT

I have static statements like:

static (inside,outside) 29.7.245.132 192.168.1.13 netmask 255.255.255.255 0 0

static (inside,outside) 29.7.245.136 192.168.1.8 netmask 255.255.255.255 0 0

However, I wish to redirect HTTPS and WWW traffic to a different LAN IP, and 3389 traffic to another.

I know:

static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255

Is a way to redirect specific ports, but which "interface" is it referring to? I want WWW traffic destined for 29.7.245.132 to be re-routed, not traffic for 29.7.245.136. But this static entry with "interface" doesn't appear to specify?

Any help or clarification?

Sorry, still learning the in's and out's of PIX lingo

Re: Static "interface" command clarification

dhananjoy chowdhury — Fri, 08 Aug 2008 06:24:08 GMT

In your query above, the interface refers to the Outside Interface.

Now suppose the IP on the Outside interface is 29.7.245.132 and if the want to achieve this :

- traffic coming to Outside IP 29.7.245.132 on port 80 should be redirected to the inside IP 192.168.1.10 on port 80

- traffic coming to Outside IP 29.7.245.132 on port 3389 should be redirected to the inside IP 192.168.1.21 on port 3389

the use these commands

static (inside,Outside) tcp 29.7.245.132 80 192.168.1.10 80

static (inside,Outside) tcp 29.7.245.132 3389 192.168.1.220 3389

-------------------------------------------

Also this can be done

static(inside,outside) tcp interface 3389 192.169.7.100 3389 netmask 255.255.255.255

static(inside,outside) tcp interface 80 192.169.7.100 80 netmask 255.255.255.255

-------------------------------------------

Add ACL,

access-list out-in permit tcp any host 29.7.245.132 eq 443

access-list out-in permit tcp any host 29.7.245.132 eq 80

access-group out-in in interface Outside

Re: Static "interface" command clarification

Jon Marshall — Fri, 08 Aug 2008 06:28:01 GMT

Scott

The "interface" refers to whichever interface you have specified in your static statement ie

static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255

in the above you have specified static (inside,outside) so the interface is the outside interface and the IP address of outside interface is the one thats used.

If your statement was

static (inside,DMZ) tcp interface www 192.168.1.5 www netmask 255.255.255.255

where DMZ is the name of your DMZ interface then the "interface" would refer to the DMZ interface IP address.

Jon

Re: Static "interface" command clarification

Armegeden — Fri, 08 Aug 2008 06:30:53 GMT

Ah hah,

So given your example, if the Outside IP was 29.7.245.132

But I was also directing traffic for 29.7.245.133

And I wanted WWW and HTTPS traffic going to 29.7.245.133 to be redirected to 192.168.1.5

And I wanted 3389 traffic going to 29.7.245.133 to be redirected to 192.168.1.10

I would do:

static (inside,outside) tcp 29.7.245.133 www 192.168.1.5 www

static (inside,outside) tcp 29.7.245.133 https 192.168.1.5 https

static (inside,outside) tcp 29.7.245.133 3389 192.168.1.10 3389

And do the ACL's

Would that work?

Re: Static "interface" command clarification

Armegeden — Fri, 08 Aug 2008 06:32:22 GMT

OHHHH!

Wow, that clarification of the (inside,DMZ) and (inside,outside) helped *so* much!

Thanks to both of you!

Re: Static "interface" command clarification

dhananjoy chowdhury — Fri, 08 Aug 2008 06:34:15 GMT

yes that will work, provided you have the correct ACL 🙂