https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096604#M896335 <HTML><HEAD></HEAD><BODY><P>Either way will work.</P></BODY></HTML> Tue, 16 Sep 2008 15:19:28 GMT Collin Clark 2008-09-16T15:19:28Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096600#M896326 <P>I need to open ports on the firewall for the following:</P><P></P><P>Port 80 From IP - 172.16.1.20 (in DMZ) to 195.118.216.163 (internal</P><P>network)</P><P>Port 1433 From IP 172.16.1.20 (in DMZ) to 195.118.216.163 (Internal</P><P>Network)</P><P></P><P>Also need to label the ports ie: 1433 SQL and HTTP 80 and specify a name for the rule ie: "Gateway to Swordfish Claims communication" if possible so we can keep track of the rules</P><P></P><P></P><P>Do do I configure this on a PIX firewall</P> Mon, 11 Mar 2019 13:44:51 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096600#M896326 patel.nishit 2019-03-11T13:44:51Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096601#M896328 <HTML><HEAD></HEAD><BODY><P>access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80</P><P>access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433</P><P></P><P>Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.</P><P></P><P>access-list dmz2internal extended remark Gateway to Swordfish Claims communication</P><P></P><P>Hope that helps.</P></BODY></HTML> Tue, 16 Sep 2008 15:13:40 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096601#M896328 Collin Clark 2008-09-16T15:13:40Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096602#M896331 <HTML><HEAD></HEAD><BODY><P>You configure this in fw.</P><P></P><P>You can try something like this.</P><P></P><P>create no nat static entry</P><P></P><P>static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0</P><P></P><P>create object group for tcp with description</P><P></P><P></P><P>object-group service TCP_GW_SWORFISH tcp</P><P>description Gateway to Sorfish</P><P>port-object eq 1433</P><P>port-object eq 80</P><P></P><P>then acl</P><P></P><P>access-list DMZ_access_in remark gateway_to_sorfish</P><P>access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH</P><P>access-group DMZ_access_in in interface DMZ</P><P></P><P></P></BODY></HTML> Tue, 16 Sep 2008 15:13:51 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096602#M896331 JORGE RODRIGUEZ 2008-09-16T15:13:51Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096603#M896333 <HTML><HEAD></HEAD><BODY><P>Do I need to create an object group for this on pix.</P></BODY></HTML> Tue, 16 Sep 2008 15:17:35 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096603#M896333 patel.nishit 2008-09-16T15:17:35Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096604#M896335 <HTML><HEAD></HEAD><BODY><P>Either way will work.</P></BODY></HTML> Tue, 16 Sep 2008 15:19:28 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096604#M896335 Collin Clark 2008-09-16T15:19:28Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096605#M896338 <HTML><HEAD></HEAD><BODY><P>you do not have to create object group, it is a matter of preference, I like to have object groups segregated so I group them as such so that I know who I use the group for, fruthermore creating groups is easy as you can add more tcp services to them as support to individual acls per tcp udp ports.. and I do agree with Collin as well..</P></BODY></HTML> Tue, 16 Sep 2008 15:21:15 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096605#M896338 JORGE RODRIGUEZ 2008-09-16T15:21:15Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096606#M896342 <HTML><HEAD></HEAD><BODY><P>When I try to enter this acl it is giving me error invalid hostname.</P><P></P><P>access-list dmz2internal extended remark Gateway to Swordfish Claims communication</P><P>access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80</P><P>access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433</P><P></P></BODY></HTML> Tue, 16 Sep 2008 15:27:03 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096606#M896342 patel.nishit 2008-09-16T15:27:03Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096607#M896347 <HTML><HEAD></HEAD><BODY><P>Second octet in the second IP, 1189 won't work.</P></BODY></HTML> Tue, 16 Sep 2008 15:29:40 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096607#M896347 Collin Clark 2008-09-16T15:29:40Z https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096608#M896349 <HTML><HEAD></HEAD><BODY><P>it worked thanks</P></BODY></HTML> Wed, 17 Sep 2008 07:14:09 GMT https://community.cisco.com/t5/network-security/help-with-pix-configuration/m-p/1096608#M896349 patel.nishit 2008-09-17T07:14:09Z