Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
5
Helpful
5
Replies

Port Redirection and NAT

mike-greene
Level 4
Level 4

‎05-19-2009 04:25 PM - edited ‎03-11-2019 08:34 AM

Hi,

I have a situation where I have a single NAT'ed server that needs ports http, https and a port redirection from 8080 to https done from the Internet into our DMZ. Currently, I have a regular static and ACL that allows http and https traffic. The port redirection piece is the question here because the only way I know how to do this is with a static statement. I already have one static for the http and https traffic so I can't add another for the redirection part.

Is there another way to do port redirection without using statics?

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

CSCO10905906
Level 1
Level 1

‎05-19-2009 11:17 PM

hi mike,

your question is not very much clear.

hope the below commnand will help you to resolve your issue.

(config)# static (inside,outside) tcp interface or publicip www 192.168.10.10 www netmask 255.255.255.255

(config)# static (inside,outside) tcp interface or publicip https 192.168.10.10 https netmask 255.255.255.255

(config)# static (inside,outside) tcp interface or publicip 8080 192.168.10.20 https netmask 255.255.255.255

rgrds

Naveen

0 Helpful

mike-greene
Level 4
Level 4
In response to CSCO10905906

‎05-20-2009 06:17 AM

Thanks Naveen,

Thanks for the reply. I need the config to look like this..

static (dmz,outside) tcp 125.x.x.34 www 192.x.x.34 www netmask 255.255.255.255

static (dmz,outside) tcp 125.x.x.34 https 192.x.x.34 https netmask 255.255.255.255

static (dmz,outside) tcp 125.x.x.34 8888 192.x.x.34 https netmask 255.255.255.255

The last static gives me an duplicate error because the static above it allows https already I'm assuming.

Thanks.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to mike-greene

‎05-20-2009 11:49 AM

Unfortunately it is a dup static entry for https doing it that way using same local host

unless you assign a secondary IP address on the server - 192.x.x.35 as second IP.

But probably best way is to workaround it by using policy NAT.

doing it with secondary server IP eg.. 192.x.x.35 would be as:

static (dmz,outside) tcp 125.x.x.34 https 192.x.x.34 https netmask 255.255.255.255

static (dmz,outside) tcp 125.x.x.34 8888 192.x.x.35 https netmask 255.255.255.255

Doing it with policy NAT - no need for secondary IP address on server but using same 192.x.x.34 address.

access-list policy_nat1 permit tcp host 192.x.x.34 eq https any

access-list policy_nat2 permit tcp host 192.x.x.34 eq https any

static (dmz,outside) tcp 125.x.x.34 https access-list policy_nat1

static (dmz,outside) tcp 125.x.x.34 8888 access-list policy_nat2

Regards

Jorge Rodriguez

mike-greene
Level 4
Level 4
In response to JORGE RODRIGUEZ

‎05-21-2009 06:56 AM

Thanks!!

We found out that the server did not need redirection but thanks for the solution for future use.

Thanks Again.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to mike-greene

‎05-21-2009 03:40 PM

You're welcome Mike, thanks for rating.

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card