topic Re: Pix - Allowing ranges from 3 ips in Network Security

Pix - Allowing ranges from 3 ips

metalcoat — Mon, 11 Mar 2019 11:02:15 GMT

We have a pix firewall (external_ip) that is working perfectly. The problem is that we need to allow certain ports to a workstation (work_ip) from only 3 ips from a different company (outside_ip1,2,3).

The ports that need to be allowed to this workstation are 28000-28500 and 990. I have listed the commands I think should do it, any feedback or suggestions would be great.

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) tcp external_ip 990 work_ip 990 netmask 255.255.255.255 0 0

static (inside,outside) tcp external_ip 28000-28500 work_ip 28000-28500 netmask 255.255.255.255 0 0

Re: Pix - Allowing ranges from 3 ips

metalcoat — Fri, 24 Aug 2007 14:13:49 GMT

Apparently I won't be able to use the static command for port ranges. I am very new to this.

Re: Pix - Allowing ranges from 3 ips

acomiskey — Fri, 24 Aug 2007 14:19:18 GMT

Since you're forwarding all the ports to the same server you can do this...

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) interface work_ip netmask 255.255.255.255

Please rate helpful posts.

Re: Pix - Allowing ranges from 3 ips

metalcoat — Mon, 27 Aug 2007 17:54:08 GMT

After trying that last command, It blocks all access to the internet from the rest of the workstations. Maybe a less wide static statement?

Re: Pix - Allowing ranges from 3 ips

acomiskey — Mon, 27 Aug 2007 18:08:52 GMT

I'm sorry but are you saying that after you enter the static command that inside workstations cannot access the internet?

Re: Pix - Allowing ranges from 3 ips

metalcoat — Mon, 27 Aug 2007 18:38:22 GMT

Correct, its one workstation that I am routing all the information from those ports to. When the last command (static) is entered it seems that all information from all ports is forwarded there. At least thats what I think is happening. I plan on testing the equipment anyway today, I will post back on my findings, thank you for the quick replies.

Re: Pix - Allowing ranges from 3 ips

acomiskey — Mon, 27 Aug 2007 19:07:34 GMT

If you get a chance post a sanitized config for us to look at. thanks.