Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port redirection over PAT?

Is this possible? Here's my scenario -->

One global IP -- x.x.x.38

Local web server with 5 websites

Is the only way to do this by specifying the TCP port in Microsoft IIS and then doing port redirection through a 'static' statement on the PIX?

Here are my static statements, be kind...I didn't build this config...

static (DMZ,outside) tcp x.x.x.38 www 172.16.128.8 www netmask 255.255.255.255 0 0

static (DMZ,outside) tcp x.x.x.38 ftp 172.16.128.8 ftp netmask 255.255.255.255 0 0

static (DMZ,outside) x.x.x.36 172.16.128.3 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.0.8 192.168.0.8 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.0.6 192.168.0.6 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.37 192.168.0.6 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.40 192.168.0.49 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.44 192.168.0.4 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.35 192.168.0.8 netmask 255.255.255.255 0 0

static (DMZ,outside) x.x.x.41 172.16.128.9 netmask 255.255.255.255 0 0

static (DMZ,outside) x.x.x.38 172.16.128.8 netmask 255.255.255.255 0 0

The only 'static' that I've removed is --

static (DMZ,outside) tcp x.x.x.38 www 172.16.128.8 81 netmask 255.255.255.255 0 0

When I went to add it again, I got an overlap error...which is expected considering the one-to-one static mapping for that IP.

'DMZ' and 'inside' are using PAT off the outside interface...

Any suggestions?

Thanks in advance...

3 REPLIES
Silver

Re: Port redirection over PAT?

What specifically does not work? Yes, it is not surprising that you got the overlap message because the static statement at the bottom is one for one.

If you want to run 5 http web sites on one server, configure it with host headers. Set up the dns records for each domain name to resolve to the ip address (x.x.x.38). HTTP 1.1 aware browsers (darn near everything) will send the domain name in the http get request, and the web server will read it, and serve up the appropriate content based on that domain name.

You cannot do this with https sites - each https site will need its own ip address.

I tend to think your might have an IIS problem, not a Cisco one.

New Member

Re: Port redirection over PAT?

I tend to agree! I believe it is an IIS problem...

As soon as that's done...time to clean up this config.

Thanks for the response.

New Member

Re: Port redirection over PAT?

Just an FYI, you can do Host Headers with SSL sites.

214
Views
0
Helpful
3
Replies