Hi Some one know on pix 506e is possibility to make somethink like that : if user in lacal lan will go to any www site that pix automaticly will make some redirect to one specific(appointed)www site on outside
No, you cannot do that with the PIX 6.x software.
When you do that kind of redirection, the number of new target IP addresses must be the same as the number of redirected-from IP addresses.
For example, you can redirect one specific destination www IP address to a different specific www address:
static (outside,inside) tcp 202.88.202.131 www 207.97.223.202 www netmask
255.255.255.255That would have effect of redirecting destination 202.88.202.131 (china.net) to 207.97.223.202 (atari.com). Note, though, that if the new target server pays attention to the http Host: header then it will receive the text of what the user actually typed and will probably refuse to serve any information.
I've never found a use for it, but you can also redirect blocks of IPs to equal sized blocks of other IPs:
static (outside,inside) tcp 202.88.202.128 www 207.97.223.200 www netmask
255.255.255.252This would have the effect of redirecting
202.88.202.128 to 207.97.223.200 202.88.202.129 to 207.97.223.201 202.88.202.130 to 207.97.202.202 202.88.202.131 to 207.97.202.203 .If you wanted to redirect -all- www sites then if you were to try
static (outside,inside) tcp 0.0.0.0 www X.X.X.X www netmask 0.0.0.0
then the size of the range at X.X.X.X would have to be the size of the range at 0.0.0.0/0.0.0.0 ... and the only range that big is 0.0.0.0/0.0.0.0 so it would have to be
static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
which would map each destination IP to itself, which isn't going to do you any good.
Depending on your purpose, you probably could do something like:
static (outside,inside0 tcp 0.0.0.0 www 0.0.0.0 65535 netmask 0.0.0.0
which would redirect target port www to target port 65535 for *all* IPs. There would be very few alternative http servers listening on port 65535 on systems, so this would block pretty much all traffic to port 80. If you were going to do that, though, you might as well just put in an ACL entry that denied that traffic.
You should not count on any security measure that is targetted at port 80. There are quite a few proxy programs available now, including some that run on typical ftp ports or https ports: if you allow traffic to "any" on any particular port, chances are that someone could work that up into a generalized proxy to anything they wanted.
Hi, I once did a little cowboy-trick inregards to Proxy-auth on PIX Enable Proxy auth for the scopes and settings you want to do, fx auth on all HTTP outbound. This will bringup a page in the users browser telling them what you have put in the auth-prompt Prompt command line. The trick I did was to have something a bit more explainable that what the PIX can give. I did this via putting in html code in the auth-prompt. Fx.: auth-prompt prompt Inline Frame The inside server on 192.168.0.254 then contained some slash page.
But in you case you could do an exception auth on the webpage on the outside that you what the users to have, and put the URL in the IFRAME. oh - And remember to exclude DNS, if you use an outside DNS server in your IP settings.
I know this is not much, but it could give you some better Ideas, if so let us know.
HTH Martin Bilgrav
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.