cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
395
Views
4
Helpful
4
Replies

PIX - static and port redirection for the same host

a.manosca
Level 4
Level 4

PIX version 6.2

I was looking at the following config:

static (inside,outside) tcp 172.18.124.99 telnet 10.1.1.6 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 telnet 10.1.1.4 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface telnet 10.1.1.5 telnet netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 172.18.124.208 8080 10.1.1.7 www netmask 255.255.255.255 0 0

from this URL,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic11

and was wondering if the following configuration will work or not:

static(inside,outside) tcp 172.18.124.10 <AAAA> 10.1.1.10 <BBBB> netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 <CCCC> 10.1.1.10 <CCCC> netmask 255.255.255.255 0 0

Thanks in advance for any input.

Ariel

1 Accepted Solution

Accepted Solutions

gfullage
Cisco Employee
Cisco Employee

Yep, that'll be OK. What you can't have is this:

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

and you also can't have:

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

In other words, you can't map the same port to two different ports, in either direction. The PIX will get confused when it receives a packet on the duplicated port and doesn't know which host to map it to. As long as all the inside and outside ports map to unique ports on the other interface then you're OK.

View solution in original post

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

Yep, that'll be OK. What you can't have is this:

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

and you also can't have:

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

In other words, you can't map the same port to two different ports, in either direction. The PIX will get confused when it receives a packet on the duplicated port and doesn't know which host to map it to. As long as all the inside and outside ports map to unique ports on the other interface then you're OK.

Thanks a lot for that quick and helpful reply, Glenn.

If I may ask another question, is it possible to select 2 or 3 addresses from a network already

configured with 'static' to be used for port redirection as a separate entry?

static(inside,outside) 172.18.124.0 10.1.1.0 netmask 255.255.255.0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.10 10.1.1.10 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.11 10.1.1.11 netmask 255.255.255.255 0 0

static(inside,outside) tcp 172.18.124.11 10.1.1.11 netmask 255.255.255.255 0 0

With the above config, address overlap exists. So how can I modify the first static command

to exclude the .10 and .11 to avoid overlapping addresses, without configuring individual

static entries for addresses other than .10 and .11?

I tried searching CCO as well as the NetPro forum but I wasn't able to find a similar or

related question.

Any help or advice is greatly appreciated.

Ariel

Actually the above should work, the messages you're getting are warnings, not errors. The commands will still be placed in the config.

Statics are read from top down, and the first one to match will be used and no more will be read (sort of like a permit in an access-list). As long as they appear in the config with the network static at the bottom, the more specific port statics will be used in preference to them since they will be read first.

New statics are placed at the top I believe, so if you enter them in the order you have them listed above, then the network static should be at the bottom and it all should work for you.

Looks like I really need to do more reading and research.

I will surely take note of all the information you've given me.

Thanks a lot for your help.

Ariel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: