https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148548#M580324 <HTML><HEAD></HEAD><BODY><P>use netblocks</P><P></P><P>192.168.10.100 255.255.255.252 (covers 192.168.10.100 through 103)</P><P>192.168.10.104 255.255.255.248 (covers 192.168.10.104 through 111)</P><P>192.168.10.112 255.255.255.240 (covers 192.168.10.112 through 127)</P><P>192.168.10.128 255.255.255.224 (covers 192.168.10.128 through 159)</P><P>192.168.10.160 255.255.255.240 (covers 192.168.10.160 through 175)</P><P>192.168.10.176 255.255.255.252 (covers 192.168.10.176 though 179)</P><P>192.168.10.180 255.255.255.255</P><P></P><P>Those statements will cover all of your ip address space for your servers</P><P></P></BODY></HTML> Wed, 17 Sep 2003 11:43:45 GMT mostiguy 2003-09-17T11:43:45Z https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148545#M580306 <P>I have a class c network. 192.168.1.0 /24</P><P>i have several web,ftp and mail server 192.168.1.100 - 180</P><P>I also have two dns server 192.168.1.35,192.168.1.45</P><P>the problem is that i need to allow traffic from the outside to these webservers each host is a different server. how do i do this without having to enter the different static and access-list commands</P><P></P><P>for example</P><P>static (inside,outside) 10.0.0.100 192.168.1.100 netmask 255.255.255.255</P><P>access-list in permit tcp any host 10.0.0.100 eq www</P><P>access-list in permit tcp any host 10.0.0.100 eq smtp</P><P>access-list in permit tcp any host 10.0.0.100 eq ftp</P><P></P><P>i do not want to do this for 255 address that would be crazy</P><P></P><P>please help</P><P></P> Fri, 21 Feb 2020 06:59:50 GMT https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148545#M580306 jcajuste 2020-02-21T06:59:50Z https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148546#M580311 <HTML><HEAD></HEAD><BODY><P>You prety much do have to do it for all addresses, but it's easier of you can group them together. If you need to do it for all 255 addresses then it's easy, just do:</P><P><B></B></P><P>static (inside,outside) 10.0.0.0 192.168.1.0 netmask 255.255.255.0</P><P>access-list in permit tcp any host 10.0.0.0 eq www</P><P>access-list in permit tcp any host 10.0.0.0 eq smtp</P><P>access-list in permit tcp any host 10.0.0.0 eq ftp </P><P></P><P>If you only need to do it for 100-180 then it gets a little more difficult, as you have to group these together but with subnet masking it gets difficult. </P><P></P><P>Also I would recommend using an object group for the protocols in the access-list as follows:</P><P><B></B></P><P>objet-group service <I>allowed_prots</I> tcp</P><P> port-object eq ftp</P><P> port-object eq www</P><P> port-object eq smtp</P><P></P><P>access-list in permit tcp any host x.x.x.x object-group <I>allowed_prots</I></P><P></P><P>This'll save two access-list lines per host. See <A class="jive-link-custom" href="http://www.cisco.com/warp/public/707/pix_obj_grp.html" target="_blank">http://www.cisco.com/warp/public/707/pix_obj_grp.html</A> for details.</P><P></P></BODY></HTML> Wed, 17 Sep 2003 04:18:37 GMT https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148546#M580311 gfullage 2003-09-17T04:18:37Z https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148547#M580318 <HTML><HEAD></HEAD><BODY><P>thanks for the object gorup. but i still have to do for each address.</P></BODY></HTML> Wed, 17 Sep 2003 10:29:43 GMT https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148547#M580318 jcajuste 2003-09-17T10:29:43Z https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148548#M580324 <HTML><HEAD></HEAD><BODY><P>use netblocks</P><P></P><P>192.168.10.100 255.255.255.252 (covers 192.168.10.100 through 103)</P><P>192.168.10.104 255.255.255.248 (covers 192.168.10.104 through 111)</P><P>192.168.10.112 255.255.255.240 (covers 192.168.10.112 through 127)</P><P>192.168.10.128 255.255.255.224 (covers 192.168.10.128 through 159)</P><P>192.168.10.160 255.255.255.240 (covers 192.168.10.160 through 175)</P><P>192.168.10.176 255.255.255.252 (covers 192.168.10.176 though 179)</P><P>192.168.10.180 255.255.255.255</P><P></P><P>Those statements will cover all of your ip address space for your servers</P><P></P></BODY></HTML> Wed, 17 Sep 2003 11:43:45 GMT https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148548#M580324 mostiguy 2003-09-17T11:43:45Z https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148549#M580330 <HTML><HEAD></HEAD><BODY><P>thank you, but forgive me for not being so bright.</P><P>will the pix know to translate 10.0.0.100 to 192.168.10.100. ?</P><P></P><P></P></BODY></HTML> Wed, 17 Sep 2003 14:31:07 GMT https://community.cisco.com/t5/network-security/permitting-traffic-through-pix-501/m-p/148549#M580330 jcajuste 2003-09-17T14:31:07Z