Can I set up a global address pool (5 static ip's) and do port redirection off of any/all of them. I know how to do it off the outside interface port using the static command, will it work the same way specifying an ip from the global pool? Or do I have to use NAT.
I have 5 static ip's.
I would like to be able to map port 80 to server A and port 3306 to server B.
Using another ip I am forwarding ports for a game server to server c, and forwarding port 80 for a php block to the web server for game server c which is located on server d.
To my knowledge, you cannot use global and nat to perform port redirection. If the servers you want to redirect to are behind the pix, that is they are on higher security interfaces than the isp/partner network connection is, you need to use statics.
Yes, you should be able to do port redirection for statics specifying addresses other than the interface address. The pix 6.3 code can allow you to do redirection for protocol/port instead of just ip address; thus you can redirect a.b.c.d port 80 to inside server H and redirect a.b.c.d port 3306 (same ip but different port) to server V.
Also, you can use statics with acl's for port redirection, look at the cisco pix doc for more details.
Global and nat are only for outbound connections to a lower interface (for code lower than 6.3). Pix 6.3 does allow for global on higher interfaces, but that is for destination nating, not for port redirection. Use the statics along with acls for port redirection.
this will not work (even thought the pix accepts it). I want to make sure that using the any any commands that I am not opening ports that can allow access to servers not specified with the static command.
Lets say I want one of the servers on the inside interface to not have any translation performed. I want the ip of the server to be one of my global ip's. I'm using a pix501. Is this possible? would I use the nat 0 command to set this up? The other servers do not need access to it, but I would like it to be under the protection of the firewall, and do not want to perform nat or pat.
If you do not want translation, you cannot do port redirection as port redirection is a type of PAT; even if the ip addr does not change the port does.
If you do not want to translate because you cannot get port redirection to work, it is because you are trying to use an internal address on the acl. You need to use the global address, but I want you to try this:
code access-list pmap_01 permit tcp host 192.168.1.100 eq true-port-id any
This ought to redirect requests to port 80 on your pix's interface public address to inside host 192.168.1.100
Note how you code the acl - it is coded as if the inside host was initiating the connection, even though it is not happening. I do not know if the port-id needs to come after the any keyword - experiment to see what works. Also, turn buffer logging to info or debug level on the pix as you set this up to get some clues as to the problem.
I used http as an example, replace the ports with the dest port as seen by.
Also, after you change statics, don't forget to use the clear xlate command for the changes to take effect.
See below if you really want to use public addresses on the inside host, but I feel that that it is too cumbersome to setup.
Is the pix outside interface in the same subnet as the 5 static ip addr's that were allocated to you?
Let's assume that this is the case, and that you are allocated 126.96.36.199/29 subnet. The pix is .10, the isp gateway is .9 and so you have .11 thru .14 to use (.15 is the broadcast and I do not know if you can assign this to a internal host as the pix can recognize the lan broadcast and takes action differently when it is a source or dest in a packet).
First, you need to insure that the pix is configured to use proxyarp on the isp facing interface. Next you need host route statements that point to your inside host as the route to the address. You will need to multinet on each of your inside servers that will be addressable - one private address that uses the pix as the defaut gateway, and the one public address. Then you code static statements like so:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...