anyone out there any good with Cisco ???
05 June 2003, 02:30 PM
#1
Scooby Regular
Thread Starter
Join Date: Apr 2003
Posts: 330
Likes: 0
Received 0 Likes
on
0 Posts
Got a prob with firewall, want to map single external address multiple ports to multiple internal addresses changing port numbers.
eg
1.1.1.1 (external)
192.168.0.x (internal)
now i want
1.1.1.1:80 to go to 192.168.0.1:80
1.1.1.1:81 to go to 192.168.0.2:80
1.1.1.1:535 to 192.168.0.1:666
any sujestions would be great, i cant seem to find the command for it
eg
1.1.1.1 (external)
192.168.0.x (internal)
now i want
1.1.1.1:80 to go to 192.168.0.1:80
1.1.1.1:81 to go to 192.168.0.2:80
1.1.1.1:535 to 192.168.0.1:666
any sujestions would be great, i cant seem to find the command for it
05 June 2003, 04:59 PM
#4
Scooby Regular
Port Redirection with Statics
In PIX 6.0, the port redirection feature was added to allow outside users to connect to a particular IP address/port and have the PIX redirect the traffic to the appropriate inside server; the static command was modified. The shared address can be a unique address, a shared outbound PAT address, or shared with the external interface.
Note: Due to space limitations, commands are shown on two lines.
static [(internal_if_name, external_if_name)]
{global_ip|interface}
local_ip [netmask mask] [max_conns [emb_limit
[norandomseq]]]
static [(internal_if_name, external_if_name)] {tcp|udp}
{global_ip|interface}
global_port local_ip local_port [netmask mask] [max_conns
[emb_limit [norandomseq]]]
In our network, we wanted to have the following port redirections.
External users direct Telnet requests to unique IP address 172.18.124.99. which the PIX redirects to 10.1.1.6.
External users direct FTP requests to unique IP address 172.18.124.99, which the PIX redirects to 10.1.1.3.
External users direct Telnet requests to PAT address 172.18.124.208, which the PIX redirects to 10.1.1.4.
External users direct Telnet request to PIX outside IP address 172.18.124.216, which the PIX redirects to 10.1.1.5.
External users direct HTTP request to PIX outside IP address 172.18.124.216, which the PIX redirects to 10.1.1.5.
External users direct HTTP port 8080 requests to PAT address 172.18.124.208, which the PIX redirects to 10.1.1.7 port 80.
We also decided to block some users' access from inside to outside with ACL 100. This step is optional; all traffic is permitted outbound without the ACL in place.
Network Diagram - Port Redirection
Partial PIX Configuration - Port Redirection
The following partial configuration illustrates the use of static port redirection, referring to the diagram above.
Partial PIX Configuration - Port Redirection
fixup protocol ftp 21
!--- Use of an outbound ACL is optional.
access-list 100 permit tcp 10.1.1.0 255.255.255.128 any eq www
access-list 100 deny tcp any any eq www
access-list 100 permit tcp 10.0.0.0 255.0.0.0 any
access-list 100 permit udp 10.0.0.0 255.0.0.0 host 172.18.124.100 eq domain
access-list 101 permit tcp any host 172.18.124.99 eq telnet
access-list 101 permit tcp any host 172.18.124.99 eq ftp
access-list 101 permit tcp any host 172.18.124.208 eq telnet
access-list 101 permit tcp any host 172.18.124.216 eq telnet
access-list 101 permit tcp any host 172.18.124.216 eq www
access-list 101 permit tcp any host 172.18.124.208 eq 8080
ip address outside 172.18.124.216 255.255.255.0
ip address inside 10.1.1.2 255.255.255.0
global (outside) 1 172.18.124.208
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3
ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.208 telnet 10.1.1.4
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.1.1.5
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.5
www netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.208 8080 10.1.1.7
www netmask 255.255.255.255 0 0
!--- Use of an outbound ACL is optional.
access-group 100 in interface inside
access-group 101 in interface outside
In PIX 6.0, the port redirection feature was added to allow outside users to connect to a particular IP address/port and have the PIX redirect the traffic to the appropriate inside server; the static command was modified. The shared address can be a unique address, a shared outbound PAT address, or shared with the external interface.
Note: Due to space limitations, commands are shown on two lines.
static [(internal_if_name, external_if_name)]
{global_ip|interface}
local_ip [netmask mask] [max_conns [emb_limit
[norandomseq]]]
static [(internal_if_name, external_if_name)] {tcp|udp}
{global_ip|interface}
global_port local_ip local_port [netmask mask] [max_conns
[emb_limit [norandomseq]]]
In our network, we wanted to have the following port redirections.
External users direct Telnet requests to unique IP address 172.18.124.99. which the PIX redirects to 10.1.1.6.
External users direct FTP requests to unique IP address 172.18.124.99, which the PIX redirects to 10.1.1.3.
External users direct Telnet requests to PAT address 172.18.124.208, which the PIX redirects to 10.1.1.4.
External users direct Telnet request to PIX outside IP address 172.18.124.216, which the PIX redirects to 10.1.1.5.
External users direct HTTP request to PIX outside IP address 172.18.124.216, which the PIX redirects to 10.1.1.5.
External users direct HTTP port 8080 requests to PAT address 172.18.124.208, which the PIX redirects to 10.1.1.7 port 80.
We also decided to block some users' access from inside to outside with ACL 100. This step is optional; all traffic is permitted outbound without the ACL in place.
Network Diagram - Port Redirection
Partial PIX Configuration - Port Redirection
The following partial configuration illustrates the use of static port redirection, referring to the diagram above.
Partial PIX Configuration - Port Redirection
fixup protocol ftp 21
!--- Use of an outbound ACL is optional.
access-list 100 permit tcp 10.1.1.0 255.255.255.128 any eq www
access-list 100 deny tcp any any eq www
access-list 100 permit tcp 10.0.0.0 255.0.0.0 any
access-list 100 permit udp 10.0.0.0 255.0.0.0 host 172.18.124.100 eq domain
access-list 101 permit tcp any host 172.18.124.99 eq telnet
access-list 101 permit tcp any host 172.18.124.99 eq ftp
access-list 101 permit tcp any host 172.18.124.208 eq telnet
access-list 101 permit tcp any host 172.18.124.216 eq telnet
access-list 101 permit tcp any host 172.18.124.216 eq www
access-list 101 permit tcp any host 172.18.124.208 eq 8080
ip address outside 172.18.124.216 255.255.255.0
ip address inside 10.1.1.2 255.255.255.0
global (outside) 1 172.18.124.208
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3
ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.208 telnet 10.1.1.4
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface telnet 10.1.1.5
telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 10.1.1.5
www netmask 255.255.255.255 0 0
static (inside,outside) tcp 172.18.124.208 8080 10.1.1.7
www netmask 255.255.255.255 0 0
!--- Use of an outbound ACL is optional.
access-group 100 in interface inside
access-group 101 in interface outside
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
33
29 August 2017 07:18 PM
Scott@ScoobySpares
Full Cars Breaking For Spares
7
14 December 2015 08:16 AM
Mattybr5@MB Developments
Full Cars Breaking For Spares
20
22 October 2015 06:12 AM