Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
4
Helpful
2
Replies

Redirect http/https to port 8080 PIX 6.3

paulstone80
Level 3
Level 3

‎02-27-2013 10:20 AM - edited ‎03-11-2019 06:06 PM

Hi,

Just looking for a bit of direction on this problem. I need to redirect all http and https traffic from one source in a dmz network, to port tcp/8080 on a proxy server on the inside network.

The source device doesn't handle proxying very well, so i've been advised to redirect the tcp/80 and tcp/443 ports to tcp/8080 as it passes through the firewall.

Scenario is thus:

PIX 515E 6.3 (5)

DMZ server: 172.31.255.250 (Real IP), 10.44.181.236 (NAT IP)

Inside Proxy server: 10.44.132.28 (Real IP), 172.31.255.110 (NAT IP)

I've configured a static NAT redirect using the following command:

static (inside,dmz) tcp 172.31.255.110 www 10.44.132.28 8080 netmask 255.255.255.255 0 0

When I try to add the next command of:

static (inside,dmz) tcp 172.31.255.110 443 10.44.132.28 8080 netmask 255.255.255.255 0 0

I get the following error:

ERROR: duplicate of existing static

Is there a work around for this at all or am I stuck with the limitations of the software?

Thanks,

Paul

HTH Paul ****Please rate useful posts****
Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-04-2013 05:53 PM

Hello Paul,

Each host can only listen on one port once.. In this case the host 10.44.132.28 is already listening on port 8080 for traffic that reaches the firewall on the dmz interface on port 443 on one particular IP.

In this case you must use a different port than 8080 or a different host on the inside,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

paulstone80
Level 3
Level 3
In response to Julio Carvajal

‎03-12-2013 01:39 AM

Thanks for your response jcarvaja.

I thought this may be the case, but wasn't sure if there was a work around for it. Unfortunately the device listening on tcp/8080 is a proxy server so it will only allow inbound connections on port 8080.

Thanks,

Paul

HTH Paul ****Please rate useful posts****
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card