Port redirecting, is it p;ossibe

[ianbla]

Lets say I only have a web server available in the DMZ but I would like to have 5 web sites all on differnt ports. Is it possible to have the PIX redirecting requests to the DMZ box.

Let say I have 5 public IP's 193.131.97.11-193.131.97.15

I would like clients to still use port 80 to connect but on the inside I would like my DMZ box with 5 differnt ports 172.16.128.101:80-172.16.128.101:84.

I therfore would like to resolve as follows

193.131.97.11:80 - 172.16.128.101:80
193.131.97.12:80 - 172.16.128.101:81
193.131.97.13:80 - 172.16.128.101:82
193.131.97.14:80 - 172.16.128.101:83
193.131.97.15:80 - 172.16.128.101:84

Is this possible? What would be the command to use?

Many thanks
Ian.

 

[themut]

I don't think that´s possible... you cannot have several public IP addresses mapped to the same "internal" IP.

 

[themut]

I take that back... I just checked 6.3(3) and you may be able to pull it off with policy NAT. Check out the link below:

http://cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026694

 

[ixleplix]

The PIX running 6.3.1 will do port redirection.

Port redirection uses an access-list and a static mapping to work. So if you had two servers inside 1.1.1.5 & 1.1.1.10 and 2.2.2.5 was the IP outside, and you wanted for port 25 to go to 1.1.1.5 and port 23 to go to 1.1.1.10 then you would set up an ACL like this:

access-list 100 permit tcp any host 2.2.2.5 eq 25
access-list 100 permit tcp any host 2.2.2.5 eq 23

access-group 100 in interface outside

and you would set the static statements like this:

static (inside,outside) tcp 2.2.2.5 25 1.1.1.5 25 netmask 255.255.255.255 0 0
static (inside,outside) tcp 2.2.2.5 23 1.1.1.10 23 netmask 255.255.255.255 0 0

Now I tested similar commands (to those below) on my PIX, and they took, so it might be possible to have a port redirected in the manner which it sounds like you want; it would look like this on the static mapping:

static (inside,outside) tcp 2.2.2.5 25 1.1.1.5 83 netmask 255.255.255.255 0 0

so you have traffic comming in on port 25 and going to the 1.1.1.5 server on port 83.

For your config you might try this:

access-list 100 permit tcp any host 193.131.97.11 eq 80
access-list 100 permit tcp any host 193.131.97.12 eq 80
access-list 100 permit tcp any host 193.131.97.13 eq 80
access-list 100 permit tcp any host 193.131.97.14 eq 80
access-list 100 permit tcp any host 193.131.97.15 eq 80

access-group 100 in interface outside

static (inside,outside) tcp 193.131.97.11 80 172.16.128.101 80 netmask 255.255.255.255 0 0

static (inside,outside) tcp 193.131.97.12 80 172.16.128.101 81 netmask 255.255.255.255 0 0

static (inside,outside) tcp 193.131.97.13 80 172.16.128.101 82 netmask 255.255.255.255 0 0

static (inside,outside) tcp 193.131.97.14 80 172.16.128.101 83 netmask 255.255.255.255 0 0

static (inside,outside) tcp 193.131.97.15 80 172.16.128.101 84 netmask 255.255.255.255 0 0


Let me know if this works for you.

Also, the PIX will not allow for duplicate ports (from multiple outside addresses) to be mapped to the same internal IP. Nor will it allow the same port to be mapped to multiple internal IP's.

 

[ianbla]

thanks for the info, I shall give it a go.

 

[techmandude]

I agree with IXLEPLIX

Mapping multiple public ip addresses with same private ip address is possible with port redirection. Port redirection is supported from software version 6.2 onwards

example:
--------------------------------------------------
static (inside,outside) tcp exterip1 80 interserv 80
static (inside,outside) tcp exterip2 80 interserv 81
static (inside,outside) tcp exterip3 80 interserv 82

access-list acl_out permit tcp any host exterip1 eq 80
access-list acl_out permit tcp any host exterip2 eq 80
access-list acl_out permit tcp any host exterip3 eq 80

access-group acl_out in interface outside
---------------------------------------------------
Note: interserv is listening on different ports (80,81,82) for the different public ip addresses