08-07-2008 10:25 PM - edited 03-11-2019 06:28 AM
I have static statements like:
static (inside,outside) 29.7.245.132 192.168.1.13 netmask 255.255.255.255 0 0
static (inside,outside) 29.7.245.136 192.168.1.8 netmask 255.255.255.255 0 0
However, I wish to redirect HTTPS and WWW traffic to a different LAN IP, and 3389 traffic to another.
I know:
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
Is a way to redirect specific ports, but which "interface" is it referring to? I want WWW traffic destined for 29.7.245.132 to be re-routed, not traffic for 29.7.245.136. But this static entry with "interface" doesn't appear to specify?
Any help or clarification?
Sorry, still learning the in's and out's of PIX lingo
Solved! Go to Solution.
08-07-2008 11:34 PM
yes that will work, provided you have the correct ACL :)
08-07-2008 11:24 PM
In your query above, the interface refers to the Outside Interface.
Now suppose the IP on the Outside interface is 29.7.245.132 and if the want to achieve this :
- traffic coming to Outside IP 29.7.245.132 on port 80 should be redirected to the inside IP 192.168.1.10 on port 80
- traffic coming to Outside IP 29.7.245.132 on port 3389 should be redirected to the inside IP 192.168.1.21 on port 3389
the use these commands
static (inside,Outside) tcp 29.7.245.132 80 192.168.1.10 80
static (inside,Outside) tcp 29.7.245.132 3389 192.168.1.220 3389
-------------------------------------------
Also this can be done
static(inside,outside) tcp interface 3389 192.169.7.100 3389 netmask 255.255.255.255
static(inside,outside) tcp interface 80 192.169.7.100 80 netmask 255.255.255.255
-------------------------------------------
Add ACL,
access-list out-in permit tcp any host 29.7.245.132 eq 443
access-list out-in permit tcp any host 29.7.245.132 eq 80
access-group out-in in interface Outside
08-07-2008 11:30 PM
Ah hah,
So given your example, if the Outside IP was 29.7.245.132
But I was also directing traffic for 29.7.245.133
And I wanted WWW and HTTPS traffic going to 29.7.245.133 to be redirected to 192.168.1.5
And I wanted 3389 traffic going to 29.7.245.133 to be redirected to 192.168.1.10
I would do:
static (inside,outside) tcp 29.7.245.133 www 192.168.1.5 www
static (inside,outside) tcp 29.7.245.133 https 192.168.1.5 https
static (inside,outside) tcp 29.7.245.133 3389 192.168.1.10 3389
And do the ACL's
Would that work?
08-07-2008 11:34 PM
yes that will work, provided you have the correct ACL :)
08-07-2008 11:28 PM
Scott
The "interface" refers to whichever interface you have specified in your static statement ie
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255
in the above you have specified static (inside,outside) so the interface is the outside interface and the IP address of outside interface is the one thats used.
If your statement was
static (inside,DMZ) tcp interface www 192.168.1.5 www netmask 255.255.255.255
where DMZ is the name of your DMZ interface then the "interface" would refer to the DMZ interface IP address.
Jon
08-07-2008 11:32 PM
OHHHH!
Wow, that clarification of the (inside,DMZ) and (inside,outside) helped *so* much!
Thanks to both of you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide