pix config for nat port 80 and port 8080 to same internal ip and port?

Unanswered Question
Mar 22nd, 2008
User Badges:

Hi,


I've been struggling with this for a while, and searched for an answer which has eluded me so far.


I currently have a Pix 515E Version 6.3(5) setup to allow incoming requests on port 80 to be redirected to a server at port 8162 and incoming requests on port 8080 to redirect to the same server at port 8080. (The internal and external IPs are the same ie 1:1 NAT).



static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.34 8080 netmask 255.255.255.255 0 0


This works but means I need to have two listeners running on the server one on port 8162 and one on port 8080.


What I really want to do is have a request for port 80 or port 8080 redirect to the same port 8162


so this would be what I want to do, but of course this doesn't work as static nat needs the destinations to be different according to the docs, and I do get an error as shown below.


static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.34 8162 netmask 255.255.255.255 0 0


Gets error...


ERROR: duplicate of existing static


tcp from inside:xxx.xxx.xxx.35/8162 to outside:xxx.xxx.xxx.35/80 netmask 255.255.255.255


I have looked at policy NAT, but I don't see how to specify what port to map to.


This seems like a pretty common thing to want to do, so is it possible? if so how?


Thanks for any help.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sat, 03/22/2008 - 19:55
User Badges:
  • Green, 3000 points or more

Cannot be possible on PIX/ASA the way you want to do it, even using bellow policy nat you would get dup error right on static entries I tested it on asa but did not work using bellow ports, you would need another spare public IP.


This scenario did NOT work

access-list policy_nat_port8080 extended permit ip host xxx.xxx.xxx.34 any

access-list policy_nat_port8162 extended permit ip host xxx.xxx.xxx.34 any

access-list outside_access_in extended permit tcp any host eq 8080 log

access-list outside_access_in extended permit tcp any host eq 8162 log

static (inside,outside) interface access-list policy_nat_port8080

static (inside,outside) interface access-list policy_nat_port8162 <-- static dup error



With policy nat it would work if you had two spare public Ip addresses mapping single inside address.


Now, I did not test this but what you could try is give your local server xx.xxx.xxx.34 a secondary inside IP address in server TCPIP settings say xxx.xxx.xxx.36.


then your static would be as follows.

and add acl accordingly for xxx.xxx.xxx.36,I believe this should work.


static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.36 8080 netmask 255.255.255.255


Let us know how it works out, it is worth the try..


HTH

Rgds

Jorge


wolfmanjm Sat, 03/22/2008 - 20:51
User Badges:

Thanks for the answer.


I had thought of two IP addresses. and I'm sure that would work although I think you meant the following...



static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255


static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.36 8162 netmask 255.255.255.255


However I have limited IP addresses to do this as I use 1:1 mapping. If I switched over to real NAT and used a 192.168.x.x on the inside I could do it.


static (inside,outside) tcp xxx.xxx.xxx.34 www 192.168.1.1 8162 netmask 255.255.255.255


static (inside,outside) tcp xxx.xxx.xxx.34 8080 192.168.1.2 8162 netmask 255.255.255.255


where 192.168.1.1 and 192.168.1.2 are the same server.


That may be a better solution than what I do right now, however I am very surprised that the PIX cannot do this as it seems to be a common need to map different ports to the same destination port, I do that all the time with the OpenBSD PF based firewalls I use. If indeed the PIX can't do it, then I think I need to find a new firewall device that can do it.


Thanks



JORGE RODRIGUEZ Sat, 03/22/2008 - 22:34
User Badges:
  • Green, 3000 points or more

Yes, I meant your second option example.. that should work..

static (inside,outside) tcp xxx.xxx.xxx.34 www 192.168.1.1 8162 netmask 255.255.255.255


static (inside,outside) tcp xxx.xxx.xxx.34 8080 192.168.1.2 8162 netmask 255.255.255.255


Actions

This Discussion