Re: PIX 501, redirect to port already being used
- From: roberson@xxxxxxxxxxxx (Walter Roberson)
- Date: Wed, 28 Feb 2007 20:46:24 GMT
In article <1172689424.607209.137450@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
robert.waters <robert.waters@xxxxxxxxx> wrote:
My PIX is configured to allow traffic to move between port 3390
outside and 3390 inside (terminal server listening on a non-standard
port). I have a legacy device that needs to use port 3389 (the
standard TS port).
Can I redirect the outside port 3389 to inside port 3390 when that
port is already 'mapped'? (sorry; I don't know the proper parlance).
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
Use a policy static.
access-list legacy_ts_acl permit tcp host LegacyIP host ServerPrivateIP eq 3390
access-list remaining_ts_acl permit tcp any host ServerPrivateIP eq 3390
static (inside,outside) tcp interface 3389 access-list legacy_ts_acl
static (inside,outside) tcp interface 3390 access-list remaining_ts_acl
Possibly you might need to start remaing_ts_acl with a deny of
host LegacyIP.
Note: for any given IP, do not try to mix an unconditional static
with a conditional (policy) static, as the conditional ones are lower
priority and may end up getting ignored.
.
- References:
- PIX 501, redirect to port already being used
- From: robert.waters
- PIX 501, redirect to port already being used
- Prev by Date: Re: How to set up VLAN trunking to connect to an ISP
- Next by Date: Switches / Cisco vs HP
- Previous by thread: PIX 501, redirect to port already being used
- Next by thread: Switches / Cisco vs HP
- Index(es):
