pix config for nat port 80 and port 8080 to same internal ip and port?

wolfmanjm · ‎03-22-2008

Hi,

I've been struggling with this for a while, and searched for an answer which has eluded me so far.

I currently have a Pix 515E Version 6.3(5) setup to allow incoming requests on port 80 to be redirected to a server at port 8162 and incoming requests on port 8080 to redirect to the same server at port 8080. (The internal and external IPs are the same ie 1:1 NAT).

static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.34 8080 netmask 255.255.255.255 0 0

This works but means I need to have two listeners running on the server one on port 8162 and one on port 8080.

What I really want to do is have a request for port 80 or port 8080 redirect to the same port 8162

so this would be what I want to do, but of course this doesn't work as static nat needs the destinations to be different according to the docs, and I do get an error as shown below.

static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255 0 0

static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.34 8162 netmask 255.255.255.255 0 0

Gets error...

ERROR: duplicate of existing static

tcp from inside:xxx.xxx.xxx.35/8162 to outside:xxx.xxx.xxx.35/80 netmask 255.255.255.255

I have looked at policy NAT, but I don't see how to specify what port to map to.

This seems like a pretty common thing to want to do, so is it possible? if so how?

Thanks for any help.

JORGE RODRIGUEZ · ‎03-22-2008

Cannot be possible on PIX/ASA the way you want to do it, even using bellow policy nat you would get dup error right on static entries I tested it on asa but did not work using bellow ports, you would need another spare public IP.

This scenario did NOT work

access-list policy_nat_port8080 extended permit ip host xxx.xxx.xxx.34 any

access-list policy_nat_port8162 extended permit ip host xxx.xxx.xxx.34 any

access-list outside_access_in extended permit tcp any host eq 8080 log

access-list outside_access_in extended permit tcp any host eq 8162 log

static (inside,outside) interface access-list policy_nat_port8080

static (inside,outside) interface access-list policy_nat_port8162 <-- static dup error

With policy nat it would work if you had two spare public Ip addresses mapping single inside address.

Now, I did not test this but what you could try is give your local server xx.xxx.xxx.34 a secondary inside IP address in server TCPIP settings say xxx.xxx.xxx.36.

then your static would be as follows.

and add acl accordingly for xxx.xxx.xxx.36,I believe this should work.

static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.36 8080 netmask 255.255.255.255

Let us know how it works out, it is worth the try..

HTH

Rgds

Jorge

Jorge Rodriguez

wolfmanjm · ‎03-22-2008

Thanks for the answer.

I had thought of two IP addresses. and I'm sure that would work although I think you meant the following...

static (inside,outside) tcp xxx.xxx.xxx.34 www xxx.xxx.xxx.34 8162 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.34 8080 xxx.xxx.xxx.36 8162 netmask 255.255.255.255

However I have limited IP addresses to do this as I use 1:1 mapping. If I switched over to real NAT and used a 192.168.x.x on the inside I could do it.

static (inside,outside) tcp xxx.xxx.xxx.34 www 192.168.1.1 8162 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.34 8080 192.168.1.2 8162 netmask 255.255.255.255

where 192.168.1.1 and 192.168.1.2 are the same server.

That may be a better solution than what I do right now, however I am very surprised that the PIX cannot do this as it seems to be a common need to map different ports to the same destination port, I do that all the time with the OpenBSD PF based firewalls I use. If indeed the PIX can't do it, then I think I need to find a new firewall device that can do it.

Thanks

JORGE RODRIGUEZ · ‎03-22-2008

Yes, I meant your second option example.. that should work..

static (inside,outside) tcp xxx.xxx.xxx.34 www 192.168.1.1 8162 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.34 8080 192.168.1.2 8162 netmask 255.255.255.255

Jorge Rodriguez