[fw-wiz] re: pix firewall config quest

From: Mike Hoskins (mike_at_adept.org)
Date: 08/14/03

  • Next message: Mike Hoskins: "[fw-wiz] re: NAT for a simple network" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 13 Aug 2003 18:20:59 -0700 (PDT)

    From: "Don Burgess" <don_burgess@hotmail.com>
    Date: Thu, 07 Aug 2003 00:44:20 -0700
    > sorry for this being such a basic question, but i am using a PIX to
    > learn, and i am trying to fingure out how to forward a port from the
    > incoming interface to a internal ip..

    i think you'd do that with a static and an ACL entry...

    > here is the basic scenario
    > pix 506e
    > internal pat 192.168.1.0
    > external interface address in my test setup is 10.10.1.208
    > internal ip that i want to access the port of 192.168.1.10
    > port that i want to access 3000

    there may be a better way, but (long lines wrapped at backslash)...

    ! just an alias
    name outsidehost 10.10.1.208
    ! you may want to adjust the embryonic limit (32 here)
    static (inside,outside) outsidehost 192.168.1.10 \
            netmask 255.255.255.255 0 32

    then in the ACL applied to your external interface (remember, packets from
    an interface with a lower security level -- e.g. outside -- are not
    allowed to pass to an interface with a higher security level -- e.g.
    inside - by default.) you would add a rule allowing the desired traffic,

    access-list 100 permit tcp any host outsidehost eq 3000

    this assumes you're using ACL # 100 to control traffic flow from your
    outside interface to your inside interface. as such, you should also have
    an appropriate 'access group' defined,

    access-group 100 in interface outside

    -mrh 

    --
From: "Spam Catcher" <spam-catcher@adept.org>
To: spam-catcher@adept.org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Mike Hoskins: "[fw-wiz] re: NAT for a simple network"

    Relevant Pages

    • Re: Interesting problem with pix 515 UR
      ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
      (comp.dcom.sys.cisco)
    • Interesting problem with pix 515 UR
      ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... interface FastEthernet0/21 ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
      (comp.dcom.sys.cisco)
    • Re: Managing PIX behind a VPN.
      ... You need to configure an acl to permit inbound flow from the outside ... and these lines to manage the pix: ... That is correct because the PC resides on the same segment of the inside interface of the PIX. ...
      (comp.dcom.sys.cisco)
    • Re: One internal network, VPN, 2 PIX
      ... all I can ping is the internal interface on the PIX that I'm VPN'ing in to. ... Do I need to add ACL's into the Corp PIX to allow the VPN traffic (I already ... the 192.168.200.* inside hosts, the inside hosts are going to ... so the interior hosts send responses to the 501); ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] Double firewall setup (long)
      ... One PIX 515E w/ 3 interfaces: inside, outside, DMZ. ... access-list OUTB permit tcp 10.181.8.0 255.255.248.0 any eq www ... interface ethernet0 auto ...
      (Firewall-Wizards)