cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1264
Views
0
Helpful
1
Replies

Cisco Pix 515e - Couple Diffrent things.

danielwnewman
Level 1
Level 1

1a. Trying to redirect an external ip to a DNS name/alias.

1b. Redirect a external DNS name/Alias to a internal DNS name/Alias.

2. Trying to do port forwarding from one public IP (with various ports) to many internal IPs.

2a. Ports 80,81,82,83

If they are possible.

1 Reply 1

a.kiprawih
Level 7
Level 7

For 2 7 2a:

2. Trying to do port forwarding from one public IP (with various ports) to many internal IPs.

2a. Ports 80,81,82,83

This is possible via Port redirection feature - map single Public IP to many internal IP.

You can redirect the same port number, or different port on the same/different IP

This must be followed by ACL on the Outside interface allowing access from internet/outside to the Public IP of 100.100.100.100 via whatever specified port.

Example:

1. Static Map/redirect

Public IP to map: 100.100.100.100

Internal IP (i.e servers): 10.1.1.10, 10.1.1.11, 10.1.1.12, 10.1.1.13

static (inside,outside) tcp 100.100.100.100 80 10.1.1.10 80 netmask 255.255.255.255

static (inside,outside) tcp 100.100.100.100 81 10.1.1.10 81 netmask 255.255.255.255

static (inside,outside) tcp 100.100.100.100 82 10.1.1.10 82 netmask 255.255.255.255

static (inside,outside) tcp 100.100.100.100 83 10.1.1.10 83 netmask 255.255.255.255

static (inside,outside) tcp 100.100.100.100 2221 10.1.1.10 21 netmask 255.255.255.255

2. ACL

access-list outside permit tcp any host 100.100.100.100 eq 80*

access-list outside permit tcp any host 100.100.100.100 eq 81

access-list outside permit tcp any host 100.100.100.100 eq 82

access-list outside permit tcp any host 100.100.100.100 eq 83

access-list outside permit tcp any host 100.100.100.100 eq 2221**

access-group outside in interface outside ***

* redirect from mask port value 80 to actual application port number - TCP 80 (www)

** redirect from mask port value 2221 to actual application port number - TCP 21 (ftp)

- Internet users/outsiders will access via port 2221. but PIX will auto redirect it to actual port 21 (FTP) on the server, i.e your server running FTP application using TCP 21, but you do not want Outsiders to easily know/scan/attack port 21. So you use 2221 to mask the port, and let PIX redirect it correctly to port 21 again.

** bind 'outside' ACL to Outside interface IP.

Ref:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic9

Make sure your PIX has correct default route to internet router:

route outside 0.0.0.0 0.0.0.0 100.100.100.99 --------> assuming 100.100.100.99 is your internet router FastEthernet facing PIX Outside interface

Hope this helps. Pls rate all useful post(s)

AK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: