Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Static "interface" command clarification

I have static statements like:

static (inside,outside) 29.7.245.132 192.168.1.13 netmask 255.255.255.255 0 0

static (inside,outside) 29.7.245.136 192.168.1.8 netmask 255.255.255.255 0 0

However, I wish to redirect HTTPS and WWW traffic to a different LAN IP, and 3389 traffic to another.

I know:

static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255

Is a way to redirect specific ports, but which "interface" is it referring to? I want WWW traffic destined for 29.7.245.132 to be re-routed, not traffic for 29.7.245.136. But this static entry with "interface" doesn't appear to specify?

Any help or clarification?

Sorry, still learning the in's and out's of PIX lingo

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Static "interface" command clarification

yes that will work, provided you have the correct ACL :)

5 REPLIES

Re: Static "interface" command clarification

In your query above, the interface refers to the Outside Interface.

Now suppose the IP on the Outside interface is 29.7.245.132 and if the want to achieve this :

- traffic coming to Outside IP 29.7.245.132 on port 80 should be redirected to the inside IP 192.168.1.10 on port 80

- traffic coming to Outside IP 29.7.245.132 on port 3389 should be redirected to the inside IP 192.168.1.21 on port 3389

the use these commands

static (inside,Outside) tcp 29.7.245.132 80 192.168.1.10 80

static (inside,Outside) tcp 29.7.245.132 3389 192.168.1.220 3389

-------------------------------------------

Also this can be done

static(inside,outside) tcp interface 3389 192.169.7.100 3389 netmask 255.255.255.255

static(inside,outside) tcp interface 80 192.169.7.100 80 netmask 255.255.255.255

-------------------------------------------

Add ACL,

access-list out-in permit tcp any host 29.7.245.132 eq 443

access-list out-in permit tcp any host 29.7.245.132 eq 80

access-group out-in in interface Outside

Community Member

Re: Static "interface" command clarification

Ah hah,

So given your example, if the Outside IP was 29.7.245.132

But I was also directing traffic for 29.7.245.133

And I wanted WWW and HTTPS traffic going to 29.7.245.133 to be redirected to 192.168.1.5

And I wanted 3389 traffic going to 29.7.245.133 to be redirected to 192.168.1.10

I would do:

static (inside,outside) tcp 29.7.245.133 www 192.168.1.5 www

static (inside,outside) tcp 29.7.245.133 https 192.168.1.5 https

static (inside,outside) tcp 29.7.245.133 3389 192.168.1.10 3389

And do the ACL's

Would that work?

Re: Static "interface" command clarification

yes that will work, provided you have the correct ACL :)

Hall of Fame Super Blue

Re: Static "interface" command clarification

Scott

The "interface" refers to whichever interface you have specified in your static statement ie

static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255

in the above you have specified static (inside,outside) so the interface is the outside interface and the IP address of outside interface is the one thats used.

If your statement was

static (inside,DMZ) tcp interface www 192.168.1.5 www netmask 255.255.255.255

where DMZ is the name of your DMZ interface then the "interface" would refer to the DMZ interface IP address.

Jon

Community Member

Re: Static "interface" command clarification

OHHHH!

Wow, that clarification of the (inside,DMZ) and (inside,outside) helped *so* much!

Thanks to both of you!

267
Views
10
Helpful
5
Replies
CreatePlease to create content