|
Posted by Jon Doe on September 18, 2005, 11:11 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
I'm new to PIX configs and I have a question. I'd like to put on of my
companies intranet sites out on the internet, but I'd like only specific IP
addresses to be able to connect to it. Please help me confirm if these are
the right commands:
access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https
or please help in how do I accomplish what I'm trying to do. Thanks in
advance!
|
|
Posted by Walter Roberson on September 18, 2005, 4:56 pm
If you were Registered and logged in, you could reply and use other advanced thread options
:I'm new to PIX configs and I have a question. I'd like to put on of my
:companies intranet sites out on the internet, but I'd like only specific IP
:addresses to be able to connect to it. Please help me confirm if these are
:the right commands:
:access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
:access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https
Those are plausible, provided that 65.25.x.x is a remote host
that you want to permit access from and 208.242.x.x is the -public-
address of the local host that you want to permit access to.
You will also need
access-group outside in interface outside
(the first 'outside' being the name of the ACL.)
You will also need a 'static' command to make the connection between
the public IP 208.242.x.x and the internal private IP of the appropriate
computer. Even if the public IP is the same as the private IP, you
will still need a 'static' command to tell the PIX that it is okay
to allow the packets through:
static (inside,outside) 208.242.x.x 192.168.242.15 netmask 255.255.255.255 0 0
or
static (inside,outside) 208.242.x.x 208.242.x.x netmask 255.255.255.255 0 0
{
To be a bit more complete:
- in some cases, there is one particular form of the 'nat' command that
might be useable instead of 'static'
- instead of static'ing the entire IP address, you could be more specific,
static (inside,outside) tcp 208.242.x.x www 192.168.242.15 www netmask
255.255.255.255 0 0
}
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter
|
| Similar Threads | Posted | | Help with restricting access to VPN WRT54G | August 6, 2007, 3:41 pm |
| Restricting source port across sites | May 11, 2006, 4:56 pm |
| Thoughts about restricting outgoing communication | December 12, 2006, 3:07 pm |
| Sonicwall Wireless Access - VPN and Guest Access | April 5, 2007, 10:45 am |
| LAN access while VPN is up | October 28, 2005, 1:07 am |
| CLI app - allow access? | December 11, 2006, 1:58 am |
| Allow rdp access on pix 501 | April 1, 2008, 4:54 pm |
| ZA blocks access to dns. Why? | December 3, 2004, 10:29 am |
| School Access Help | December 10, 2004, 8:10 am |
| Allow access from RAS CISCO PIX | December 31, 2004, 10:24 am |
|
XML site map