05-18-2005 05:20 PM - edited 02-21-2020 12:09 AM
I need a little help with a PIX ACL. I know how to open ports for specific IP addresses, but I need a little help opening ports on a server on my inside network with a public address but to have the ports be opened for only a specific network. for example i want ports 135, 137, 139, and 443 opened for my public address of 38.xx.xx.xx only for a source network of 144.38.xx.x. is this possible or do they have to be open for the "enite world". any help is greatly appreciated. also, could i use my private address of the server instead of nating a public address?
thanks!
Bob C.
05-18-2005 08:16 PM
access-list OUTSIDE-IN permit tcp host from_host host to_host eq XXX
access-group OUTSIDE-IN in int outside
in your case it looks like
access-list OUTSIDE-IN permit tcp 144.38.xx.x 255.255.XXX.XXX host 38.xx.xx.xx eq 443
05-18-2005 08:18 PM
Hi Bob,
You can use the object-group features to do it (via CLI or Pix Device Manager@PDM).
PDM helps you to simplify the tasks. You can download this from cisco (need access ID).
If you use PDM, go to :
1. "Tools - Service Groups" to create object-group for TCP/UDP services
2. "Configuration - Hosts/Network" to create object-group for network
3. "Configuration - Translation Rules" to create static NAT between your server and Public IP
4. "Configuration - Access Rules" to define ACL permitting access from Internet/Outside to your Server90.
Please modify the following sample configuration accordingly.
*************************************************************
note:-
- Public Server internal IP: 192.168.10.90
- Public Server external IP: 38.10.10.90
*************************************************************
name 192.168.10.90 Server90 --> map name-to-IP of your public server (optional)
object-group service TCP_Ports tcp
port-object eq netbios-ssn
port-object eq 137
port-object eq 135
port-object eq https
object-group service UDP_Ports udp
port-object eq 139
port-object eq netbios-ns
port-object eq 135
object-group network Network_144_38
description Allowed External Network to access Server90
network-object 144.38.38.0 255.255.255.0
access-list outside_access_in permit tcp object-group Network_144_38 host Server90 object-group TCP_Ports
access-list outside_access_in permit udp object-group Network_144_38 host Server90 object-group UDP_Ports
ip address outside 38.10.10.2 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
static (inside,outside) 38.10.10.90 Server90 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 38.10.10.1 --> your next-hop router
*****************************************************
To verify ACL, issue the "sh access-list" command, as follow:
PIXFW(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 8 elements
access-list outside_access_in line 1 permit tcp object-group Network_144_38 host Server90 object-group TCP_Ports
access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq netbios-ssn (hitcnt=0)
access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq 137 (hitcnt=0)
access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq 135 (hitcnt=0)
access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq https (hitcnt=0)
access-list outside_access_in line 2 permit udp object-group Network_144_38 host Server90 object-group UDP_Ports
access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq 139 (hitcnt=0)
access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq netbios-ns (hitcnt=0)
access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq 135 (hitcnt=0)
access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq 443 (hitcnt=0)
PIXFW(config)#
To allow outsider to access your server, you have to translate the server's private IP to public IP.
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide