Help with port forwarding and redirection

[dmvi]

I have read almost all threads on this and am still a little confused. Since I am having trouble with this command, maybe you can explain. I currently redirect port 80 coming in on public-ip1 to an internal machine at port 8080 on private-ip1. Now I wish to do a similar thing like redirecting public-ip2 port 80 to private-ip2 port 2000 and that doesn't work. Example of my commands. Mind you, the first one works great, the second one does not work at all. IP addresses have been changed to protect the innocent.

static (inside,outside) tcp 24.66.208.102

http://www 192.168.2.161

8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.66.208.108

http://www 192.168.2.163

2000 netmask 255.255.255.255 0 0
conduit permit tcp host 66.238.208.102 eq

http://www any

conduit permit tcp host 66.238.208.108 eq

http://www any

Question #1 - In other posts I see similar issues where some of you recommend the following change to the static command. My question is this. What does the syntax with "interface" rather then the public ipaddress actually do? How the heck does it know the public coming in?
static (inside, outside) tcp interface

http://www 192.168.1.1

http://www 255.255.255.255

0 0
static (inside, outside) tcp interface 3389 192.168.1.2 3389 255.255.255.255 0 0

Question #2 - Why bother redirecting port

http://www to

port

http://www internally?

Isn't all that assumed if the ports are exactly the same externally as well as internally?

Thanks a lot for all your help!!
Steve

 

[baddos]

Question #1... Using the interface keyword allows you to use the IP address of the outside interface. This is important for people with dynamic or limited number of ip addresses.

Question #2... There might be someone that runs a webserver with different ports than the standard port80 (maybe multiple servers on a box, etc). By adding the destination port in the translation, you can control that. Obviously some people won't need the flexibility, but Cisco is being nice for us tweakers.

 

[stevenriz]

In response to your Ques 1 response. I think I get it now. So if you only have like one public IP address and that is assigned to your public port on the firewall, you use that to redirect to an internal server/port depending on what port is incoming. Since I have plenty of IP addresses, I don't need to worry about this option. Am I correct there?

In response to your Ques 2 response, that seems to be exactly what I am doing Or what I am trying to do. I cannot seem to figure out what I am missing. Everything looks good to me!!

 

[baddos]

You got it.

However in your case, your conduits are wrong.

conduit permit tcp host any 24.66.208.102 eq www
conduit permit tcp host any 24.66.208.108 eq www

You should also look into using access-lists instead of conduits. They are much faster for the PIX to use.

 

[stevenriz]

Thanks, I tried the change to the conduit but am not allowed to enter it. We are on PIX Version 6.1(1). Could this be why? Anyway, like I wrote, the first conduit with the .102 address works and redirects incoming port 80 to 8080 internally/ It is the second that doesn't work. I don't understand why.

 

[baddos]

Double check that tcp port 2000 is what the server is actually running on.