×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX - static and port redirection for the same host

Answered Question
Mar 10th, 2004
User Badges:
  • Bronze, 100 points or more

PIX version 6.2


I was looking at the following config:


static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 telnet 10.1.1.4 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface telnet 10.1.1.5 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 8080 10.1.1.7 www netmask 255.255.255.255 0 0



from this URL,


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic11



and was wondering if the following configuration will work or not:


static(inside,outside) tcp 172.18.124.10 <AAAA> 10.1.1.10 <BBBB> netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 <CCCC> 10.1.1.10 <CCCC> netmask 255.255.255.255 0 0



Thanks in advance for any input.


Ariel

Correct Answer by gfullage about 13 years 5 months ago

Yep, that'll be OK. What you can't have is this:


static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0


and you also can't have:


static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0


In other words, you can't map the same port to two different ports, in either direction. The PIX will get confused when it receives a packet on the duplicated port and doesn't know which host to map it to. As long as all the inside and outside ports map to unique ports on the other interface then you're OK.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
gfullage Wed, 03/10/2004 - 20:00
User Badges:
  • Cisco Employee,

Yep, that'll be OK. What you can't have is this:


static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0


and you also can't have:


static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0


In other words, you can't map the same port to two different ports, in either direction. The PIX will get confused when it receives a packet on the duplicated port and doesn't know which host to map it to. As long as all the inside and outside ports map to unique ports on the other interface then you're OK.

a.manosca Wed, 03/10/2004 - 21:26
User Badges:
  • Bronze, 100 points or more

Thanks a lot for that quick and helpful reply, Glenn.


If I may ask another question, is it possible to select 2 or 3 addresses from a network already

configured with 'static' to be used for port redirection as a separate entry?


static(inside,outside) 172.18.124.0 10.1.1.0 netmask 255.255.255.0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.11 10.1.1.11 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.11 10.1.1.11 netmask 255.255.255.255 0 0


With the above config, address overlap exists. So how can I modify the first static command

to exclude the .10 and .11 to avoid overlapping addresses, without configuring individual

static entries for addresses other than .10 and .11?


I tried searching CCO as well as the NetPro forum but I wasn't able to find a similar or

related question.


Any help or advice is greatly appreciated.


Ariel

gfullage Thu, 03/11/2004 - 01:26
User Badges:
  • Cisco Employee,

Actually the above should work, the messages you're getting are warnings, not errors. The commands will still be placed in the config.


Statics are read from top down, and the first one to match will be used and no more will be read (sort of like a permit in an access-list). As long as they appear in the config with the network static at the bottom, the more specific port statics will be used in preference to them since they will be read first.


New statics are placed at the top I believe, so if you enter them in the order you have them listed above, then the network static should be at the bottom and it all should work for you.

a.manosca Thu, 03/11/2004 - 16:54
User Badges:
  • Bronze, 100 points or more

Looks like I really need to do more reading and research.

I will surely take note of all the information you've given me.

Thanks a lot for your help.


Ariel

Actions

This Discussion