Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
6
Replies

Port Redirection - internal two links

jcoykendall
Level 1
Level 1

‎07-15-2003 06:59 AM - edited ‎03-09-2019 04:02 AM

Here is my setup:

Internet

|

T1

|

Cisco 2610

12.xxx.xxx.1

|

|

12.xxx.xxx.2

Cisco PIX 506E

172.16.80.60

|

|

172.16.80.1

Cisco 2610 - - Remote Site

|

T1

|

172.16.16.1

Cisco 3600 - - Central Site

|

|

172.16.16.10

Web Server

What I'd like to do is house the webserver at our central site (172.16.16.x) but access it from a global address from the remote site (172.16.80.x/12.x.x.x), I will be doing this in case our primary connection is loss at our central site.

Snipped config

access-list outside_access_in permit tcp any host 12.xxx.xxx.xxx eq 80

static (inside, outside) tcp 12.xxx.xxx.xxx 80 172.16.16.10 80 netmask 255.255.255.255 0 0

And this is from xlate debug (timeout):

TCP PAT from inside:172.16.16.10/80 to outside:12.xxx.xxx.xxx/80 flags sri idle 0:00:10 timeout 0:00:30

I tried this on a web server on the remote site, but I'd to ultimately have the traffic routed to our Primary site...

TIA for your help !!

Labels:
0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎07-15-2003 07:07 AM

Hi -

Don't know if you've checked this document:

http://www.cisco.com/warp/public/707/28.html

Hope this helps -

0 Helpful

jcoykendall
Level 1
Level 1
In response to jmia

‎07-15-2003 07:15 AM

Yes, in reference to topic #9

"Port Redirection with Statistics"

I was able to hit the web server if static was configured for that location...

Cheers.

0 Helpful

jmia
Level 7
Level 7

‎07-15-2003 07:14 AM

Hi -

Forgot to mention, did you do cmd 'clear xlate' after you implemented the static and ACL ?

Jay

0 Helpful

jcoykendall
Level 1
Level 1
In response to jmia

‎07-15-2003 07:20 AM

Yes.. I had cleared the xlate, and here is a latest snip from "show xlate debug"

NAT from inside:172.16.16.10/80 to outside:12.xxx.xxx.xxx/80 flags sri idle 0:17:47 timeout 3:00:00

If this helps at all.

0 Helpful

jmia
Level 7
Level 7
In response to jcoykendall

‎07-15-2003 07:56 AM

Is it possible for you to post your PIX config, either here or direct to me (email above).

PLEASE REMEMBER TO CHANGE REAL IP's AND PASSWORD(S)

Thanks -

0 Helpful

jcoykendall
Level 1
Level 1
In response to jmia

‎07-15-2003 08:25 AM

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxx

passwd xxxxxxxxxxxxxxxxxxxx encrypted

hostname remote-gw

domain-name remote.org

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 172.16.80.0 Remote

name 172.16.16.0 Central

access-list inside_access permit tcp any any eq www

access-list inside_access permit tcp any any eq https

access-list inside_access permit tcp any any eq domain

access-list inside_access permit icmp any any echo-reply

access-list inside_access permit icmp any any

access-list outside_access permit icmp any any

access-list outside_access permit tcp any host 12.xxx.xxx.xxx eq www

pager lines 24

logging on

logging timestamp

logging trap notifications

logging host inside 172.16.xxx.xxx

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 12.xxx.xxx.xxx 255.255.255.224

ip address inside 172.16.xxx.xxx 255.255.240.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name attack attack action alarm drop

ip audit name ids info action alarm

ip audit interface outside ids

ip audit interface outside attack

ip audit interface inside ids

ip audit interface inside attack

ip audit info action alarm

ip audit attack action alarm drop

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 12.xxx.xxx.xxx-12.xxx.xxx.xxx netmask 255.255.255.224

global (outside) 1 12.xxx.xxx.xxx

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 12.xxx.xxx.xxx 172.16.16.10 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 12.xxx.xxx.xxx 1

route inside 172.16.0.0 255.255.0.0 172.16.80.1 1

route inside 172.16.16.0 255.255.240.0 172.16.80.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

floodguard enable

console timeout 0

terminal width 80

0 Helpful
Customers Also Viewed These Support Documents