1. Home
  2. Cisco Systems
  3. PIX 501, redirect to port already being used

PIX 501, redirect to port already being used

My PIX is configured to allow traffic to move between port 3390 outside and 3390 inside (terminal server listening on a non-standard port). I have a legacy device that needs to use port 3389 (the standard TS port). Can I redirect the outside port 3389 to inside port 3390 when that port is already 'mapped'? (sorry; I don't know the proper parlance). Here is some config: static (inside,outside) tcp interface 3390 192.168.2.2 3390 netmask

255.255.255.255 0 0 access-list outside_in permit tcp any interface outside eq 3390 access-group outside_in in interface outside

All is fine when I create the access list (access-list outside_in permit tcp any interface outside eq 3389) but when I try and create the redirect (static (inside,outside) tcp interface 3390 192.168.2.2

3389 255.255.255.255 0 0), I get an error message: ERROR: duplicate of existing static

tcp from inside:192.168.2.2/3390 to outside:64.x.x.x/3390 netmask

255.255.255.255

Am I not going to be able to do this?

Reply to
robert.waters
Loading thread data ...

formatting link
Use a policy static.

access-list legacy_ts_acl permit tcp host LegacyIP host ServerPrivateIP eq 3390 access-list remaining_ts_acl permit tcp any host ServerPrivateIP eq 3390

static (inside,outside) tcp interface 3389 access-list legacy_ts_acl static (inside,outside) tcp interface 3390 access-list remaining_ts_acl

Possibly you might need to start remaing_ts_acl with a deny of host LegacyIP.

Note: for any given IP, do not try to mix an unconditional static with a conditional (policy) static, as the conditional ones are lower priority and may end up getting ignored.

Reply to
Walter Roberson

Thank you very much for your answer, and for that resource.

Reply to
robert.waters

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.