Port Redirection
Port redirection allows one accessible IP abode to serve as the accessible IP abode for
more than one server. Anchorage redirection allows you to ascertain a mapping amid a
port on a accessible IP abode and a anchorage on a clandestine IP address.To accredit redirection,
an admission account or aqueduct charge be created, as cartage is bridge from a lower
security-level interface to a college security-level interface.
Mappings can be set at the anchorage level, and an IP abode can serve many
servers. Secure Corp. has set up a arrangement at its Toronto armpit and assigned alone a
single accessible IP abode from the ISP. At this site, Secure Corp. has two Web
servers, one Telnet server, and one FTP server. How can it accomplish all these services
accessible about with a distinct IP address? Use the changeless command to perform
port redirection:
static [(
| interface}
[
We discussed the changeless command beforehand in the chapter, so we will not go
through all the ambit again. However, we will acquaint some new parameters
here, including global_port and local_port.A agreement (tcp or udp) charge additionally be
specified so that the PIX knows the protocol/port brace to acquire and forward.
Instead of application a global_ip, you can use the interface advantage to specify the IP
address of the PIX interface in postnat_if_name.This advantage is important if you do
not accept any added accessible IP addresses.
To configure anchorage redirection for the aboriginal Web server, the command is as
follows:
www.syngress.com
116 Affiliate 3 • Passing Traffic
PIX1(config)# changeless (dmz, outside) tcp interface 80 172.16.1.1 80
If the aggregation additionally capital to host Telnet, FTP, and addition Web server, three
more changeless commands would map the ports to the actual servers. Since the Web
port is already taken, a aerial anchorage (8080) is called for admission to the added Web
server.This archetype is apparent in Figure 3.5.The added commands are as
follows:
PIX1(config)# changeless (dmz, outside) tcp interface 23 172.16.1.2 23
PIX1(config)# changeless (dmz, outside) tcp interface 8080 172.16.1.3 80
PIX1(config)# changeless (dmz, outside) tcp interface 21 172.16.1.4 21
Port Redirection Example
Port Redirection Mappings
10.1.1.1
172.16.1.1 172.16.1.2 172.16.1.3 172.16.1.4
80 - TCP 23 - TCP 80 - TCP 21 - TCP
Client opens an ftp session with
10.1.1.1
Client opens a telnet session with
10.1.1.1
Client opens an http session with
10.1.1.1
Client opens an http session on port
8080 with 10.1.1.1
1
Port Private IP Port Proto.
21 172.16.1.4 21 TCP
23 172.16.1.2 23
80 172.16.1.1 80
8080 172.16.1.3 80
TCP
TCP
TCP
2
3
4
3 2 4 1