01-04-2012 04:49 AM - edited 03-11-2019 03:09 PM
Hi,
I have a PIX 515 that i need to use as an ip redirector.
For example if users try to access 80.80.80.80 ,they need to be redirected to 90.90.90.90
It ist possible?
show ver,
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 000b.5fad.0c99, irq 10
1: Ext: Ethernet1 : address is 000b.5fad.0c9a, irq 11
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
thanks in advance for the help.
T
01-04-2012 06:19 AM
Hi Thuven,
You can use static NAT for this. See this page for more details and examples:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043190
-Mike
01-04-2012 06:30 AM
If your 90.90.90.90 is a locally connected segment you can use a static route as such below, assuming you have prior nat in placed for 80.80.80.80 (static nat)
route (inside or dmz ) 80.80.80.80 255.255.255.255 90.90.90.x
Thanks
Rizwan Rafeek.
01-04-2012 10:42 PM
Hi,
both IPs are on the outside interface, i am trying to redirect users on my lan.
any ideas ?
01-05-2012 05:12 AM
Hi Thuven,
You can try something like this:
static (outside,inside) 80.80.80.80 90.90.90.90 netmask 255.255.255.255
When users on the inside try to access 80.80.80.80, the PIX will change the destination IP of the packet to be 90.90.90.90.
-Mike
01-05-2012 06:19 AM
I am not 100 percent sure exactly, what is that you are trying to accomplish.
Based on information you provided so far.
You said: "both IPs are on the outside interface, i am trying to redirect users on my lan."
I assume, that you have sub-interfaces ip addresses (two IPs) on the outside interface, if then you need a policy base nat.
Regular nat:...
access-list allow-nat-all extended permit ip 80.80.80.0 255.255.255.0 any
global (outside) 1 interface
nat (inside) 1 access-list allow-nat-all
Policy nat:...
access-list allow-nat-specific extended permit ip host 80.80.80.80 host 90.90.90.90
global (outside) 2 xxx.xxx.xxx.xxx
nat (inside) 2 allow-nat-specific
Let me know, if this is what you want to.
Thanks
Rizwan Rafeek
01-05-2012 11:05 PM
thanks Mike and Rizwanr,
A
/
/
L ---[PIX]---- {Internet }
\
\
B
OK, think i should try and explain it a bit better,
L = LAN
A = 80.80.80.80
B = 90.90.90.90
So if the LAN users try to access A, they should be redirected to B.
Hope this helps,
Mike, if i use the static nat you suggested, 90.90.90.90 would need to reside on the LAN (right ?)
01-06-2012 05:07 AM
Hi Thuven,
The diagram didn't get formatted very well so I'm not sure if I understand. However, using the static NAT I suggested would meet the written requirements you have (users trying to access A would be redirected to B).
In this case, only B is the real host that lives on the Internet. You can think of A as just a virtual IP address that the PIX will do a translation for. If the PIX receives a packet destined for A on the LAN interface, it will just re-write the destination of the packet to B and send it on based on the routing table.
-Mike
01-06-2012 06:07 AM
Thuven and Mike,
The requirement is that traffic is initiated from the LAN but not from the Internet-Users, therefore static-nat is out of the question.
If Thuven’s PIX has one leg (i.e. physical interface) facing the ISP’s circuit then there is only one route on the PIX takes all unknown traffic to destination to Default-Gateway (i.e. default route) on PIX.
If otherwise Thuven’s PIX has two ISP circuits facing the Internet (i.e. physical or sub-interface) then a policy-base NAT will do the trick.
01-08-2012 11:02 PM
Hi,
Sorry for the late reply,
the pix has only 1 interface to the internet,
ok, so the users can access anything but if they try to access 80.80.80.80 they should be redirected to 90.90.90.90.(Both IPs live on the internet).
hope this helps more.
i will try and draw a more detailed diagram.
01-09-2012 09:00 AM
You cannot influence how your ISP transmits internet bound traffic on their network.
Since you do not have a next hop address pointing to 90.90.90.90, you cannot redirect traffic to 90.90.90.90 but to your default gateway only.
However if you own the IP (i.e. 90.90.90.90) and it is accessible on your circuit then you will be able to do a policy-nat, other than that there is nothing you can do, with limited internet circuit on the PIX outside interface.
01-10-2012 12:45 AM
so that means a PIX can inspect a packet and change the destination from IP to another on the WWW ?
01-10-2012 06:21 AM
As far as I know, you can change next-hop address and in your case there is only one next hop, i.e. default-gateway pointing all unknown traffic to single destination, ISP gateway.
Take care.
Thanks
Rizwan Rafeek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: