Port Redirection issue

qbakies11 · ‎12-03-2010

I have a client who wants to make changes to a PIX 501. They have a single server exposed to the world and want to have specific traffic sent to it. I was going to set up static NAT for the server and then create a simple ACL to allow the ports they want but then they stated they wanted to do port redirection also. So this is my issue:

1.1.1.2=external IP

10.1.1.1=internal IP

Allow ports 443, 3389, 9090, 1010, and 80

Also, redirect traffic from 8000 to 80

I created port forwarding NAT statements:

static (inside,outside) tcp 1.1.1.2 443 10.1.1.1 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.2 9090 10.1.1.1 9090 netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.1.1.2 1010 10.1.1.1 1010 netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.1.1.2 3389 10.1.1.1 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.1.1.2 8000 10.1.1.1 www netmask 255.255.255.255 0 0

when I try to do 'static (inside,outside) tcp 1.1.1.2 80 10.1.1.1 80 netmask 255.255.255.255 0 0' i GET:

ERROR: duplicate of existing static

tcp from inside:10.1.1.1/80 to outside:1.1.1.2/8000 netmask 255.255.255.255 0 0

How can I allow port 80 traffic to 10.1.1.1 and redirect 8000 to 80 for the same server? Is this even possible?

Federico Coto Fajardo · ‎12-03-2010

Hi,

If I'm not mistaken you cannot do this unless you're running 8.3 (ASA)

The reason it wont' work is because the PIX can redirect the traffic to the internal server but when the reply comes back it has no way of knowing which of the two static statements to use.

static (inside,outside) tcp 1.1.1.2 8000 10.1.1.1 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 1.1.1.2 80 10.1.1.1 80 netmask 255.255.255.255 0 0

When traffic comes from source IP 10.1.1.1 and source port 80, the PIX has no way of knowing which statement to use for outbound traffic.

Federico.

qbakies11 · ‎12-03-2010

So there is no way for me to make this work? If they want port 80 open they have to have it mapped to only one port (80 or 8000)? How can this be done on ASA?

Federico Coto Fajardo · ‎12-03-2010

All the static statements above uses the same mapped IPs.

Are you using that IP for something else? I mean what prevents you from replacing the above statements for this one:

static (inside,outside) 1.1.1.2 10.1.1.1

Federico.

qbakies11 · ‎12-03-2010

Because they wanted to do port redirection for 8000 to 80. Normally I would just do:

static (inside, outside) 1.1.1.2 10.1.1.1 netmask 255.255.255.255

then write an ACL allowing port access to 1.1.1.2 and apply it to the outside interface. I couldn't do that because I need a port redirection NAT statement of:

static (inside,outside) tcp 1.1.1.2 8000 10.1.1.1 80 netmask 255.255.255.255 0 0

I can't write:

static (inside, outside) 1.1.1.2 10.1.1.1 netmask 255.255.255.255

static (inside,outside) tcp 1.1.1.2 8000 10.1.1.1 80 netmask 255.255.255.255 0 0

because it will give me an error, won't it?

Federico Coto Fajardo · ‎12-03-2010

I think you cannot do that unless you run 8.3 because it won't allow the mapping of the same combination (internal IP/internal port) with different port redirection statements.

I will try some tests and get back to you.

Federico.