https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653585#M1028532 <HTML><HEAD></HEAD><BODY><P>Hi Cindy,</P><P></P><P>Kindly clarify about your setup.</P><P>Where is the segment 172.1.1.0/24 located physically.?</P><P></P><P>Are they residing behind your inside interface of the firewall and you want to protect access to SAP server from this segment.?</P><P></P><P>This is not a good design. </P><P>As the source and destination segments are in your inside network, You cannot make this traffic to pass through firewall. ( unless you are using vlan segmentation of zones in your firewall, which i suppose not the case in your setup)</P><P></P><P>What do you want to achive?</P><P></P><P>If you want firewall protection for the SAP server from 172.1.1.0/24 segment, then you need to redesign the way in which your firewall is deployed.</P><P></P><P>If you dont want firewall protection for the sap server from the 172.1.1.0/24 segment, then you need to check the way routing is configured from the segment 172.1.1.0/24 till the sap server and do necessary changes, so that traffic from 172.1.1.0/24 segment will reach the SAP server with out passing through the firewall.</P><P></P><P>Kindly revert back with more details on your setup/requirement to us, if the above explanation doesn't apply to your network/needs.</P><P></P><P>Hope this helps.</P><P></P><P>-VJ</P><P></P><P></P><P></P></BODY></HTML> Fri, 19 Jan 2007 08:50:18 GMT vijayasankar 2007-01-19T08:50:18Z https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653582#M1028529 <P>Gurus,</P><P>I have a question here. Lets say if there is one router (18.10.3.2) connected to 18.10.3.1 of PIX FW interface, and there is 172.1.1.0/24 network to come in to 18.10.3.10/24 (SAP Server) from the router, (routing : 0.0.0.0 0.0.0.0 18.10.3.1 ),</P><P></P><P>How to apply permit list on the PIX Inside interface?</P><P></P><P>Am i suppose to apply on 18.10.3.1(inside) interface ?</P><P></P><P>Thanks!</P><P></P> Mon, 11 Mar 2019 09:21:58 GMT https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653582#M1028529 cindylee27 2019-03-11T09:21:58Z https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653583#M1028530 <HTML><HEAD></HEAD><BODY><P>Hi Cindy,</P><P></P><P>Where is the network 172.1.1.0/24. Is it outside your PIX.</P><P></P><P>If so, you need to apply the ACL on the outside interface of the pix, in the incoming direction.</P><P></P><P>access-group outside_acl in interface outside</P><P>In your acl outside_acl, you need to allow the segment 172.1.1.0/24 to access 18.10.3.10</P><P></P><P>access-list outside_acl permit ip 172.1.1.0 255.255.255.0 host 18.10.3.10</P><P></P><P>This acl will allow ip level access to the sap server from the segment 172.1.1.0/24.</P><P>Ideally you should be allowing only the relevant TCP port from 172.1.1.0/24 to your SAP server.</P><P></P><P>Revert back to us if you need further clarification. </P><P>Hope this helps. Kindly rate the post if it was helpful.</P><P></P><P>-VJ</P><P></P></BODY></HTML> Fri, 19 Jan 2007 08:27:57 GMT https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653583#M1028530 vijayasankar 2007-01-19T08:27:57Z https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653584#M1028531 <HTML><HEAD></HEAD><BODY><P>Thanks Vijay,</P><P>The network (172.1.1.0/24) comes to the inside interface of 18.10.3.1 PIX Inside Interface, but to 18.10.3.10 (SAP Server) which resides on the INSIDE Interface VLAN.</P><P></P><P>So, I am not too if the traffic will flow in to firewall as the route is to go firewall first,before going to 18.10.3.10 SAP Server.</P><P></P><P>Thanks,</P><P></P></BODY></HTML> Fri, 19 Jan 2007 08:34:57 GMT https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653584#M1028531 cindylee27 2007-01-19T08:34:57Z https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653585#M1028532 <HTML><HEAD></HEAD><BODY><P>Hi Cindy,</P><P></P><P>Kindly clarify about your setup.</P><P>Where is the segment 172.1.1.0/24 located physically.?</P><P></P><P>Are they residing behind your inside interface of the firewall and you want to protect access to SAP server from this segment.?</P><P></P><P>This is not a good design. </P><P>As the source and destination segments are in your inside network, You cannot make this traffic to pass through firewall. ( unless you are using vlan segmentation of zones in your firewall, which i suppose not the case in your setup)</P><P></P><P>What do you want to achive?</P><P></P><P>If you want firewall protection for the SAP server from 172.1.1.0/24 segment, then you need to redesign the way in which your firewall is deployed.</P><P></P><P>If you dont want firewall protection for the sap server from the 172.1.1.0/24 segment, then you need to check the way routing is configured from the segment 172.1.1.0/24 till the sap server and do necessary changes, so that traffic from 172.1.1.0/24 segment will reach the SAP server with out passing through the firewall.</P><P></P><P>Kindly revert back with more details on your setup/requirement to us, if the above explanation doesn't apply to your network/needs.</P><P></P><P>Hope this helps.</P><P></P><P>-VJ</P><P></P><P></P><P></P></BODY></HTML> Fri, 19 Jan 2007 08:50:18 GMT https://community.cisco.com/t5/network-security/pix-firewall-configuration/m-p/653585#M1028532 vijayasankar 2007-01-19T08:50:18Z