Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
2
Replies

Access List Question on PIX 515

bchyka
Level 1
Level 1

‎05-18-2005 05:20 PM - edited ‎02-21-2020 12:09 AM

I need a little help with a PIX ACL. I know how to open ports for specific IP addresses, but I need a little help opening ports on a server on my inside network with a public address but to have the ports be opened for only a specific network. for example i want ports 135, 137, 139, and 443 opened for my public address of 38.xx.xx.xx only for a source network of 144.38.xx.x. is this possible or do they have to be open for the "enite world". any help is greatly appreciated. also, could i use my private address of the server instead of nating a public address?

thanks!

Bob C.

0 Helpful
2 Replies 2

a.alekseev
Level 7
Level 7

‎05-18-2005 08:16 PM

access-list OUTSIDE-IN permit tcp host from_host host to_host eq XXX

access-group OUTSIDE-IN in int outside

in your case it looks like

access-list OUTSIDE-IN permit tcp 144.38.xx.x 255.255.XXX.XXX host 38.xx.xx.xx eq 443

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-18-2005 08:18 PM

Hi Bob,

You can use the object-group features to do it (via CLI or Pix Device Manager@PDM).

PDM helps you to simplify the tasks. You can download this from cisco (need access ID).

If you use PDM, go to :

1. "Tools - Service Groups" to create object-group for TCP/UDP services

2. "Configuration - Hosts/Network" to create object-group for network

3. "Configuration - Translation Rules" to create static NAT between your server and Public IP

4. "Configuration - Access Rules" to define ACL permitting access from Internet/Outside to your Server90.

Please modify the following sample configuration accordingly.

*************************************************************

note:-

- Public Server internal IP: 192.168.10.90

- Public Server external IP: 38.10.10.90

*************************************************************

name 192.168.10.90 Server90 --> map name-to-IP of your public server (optional)

object-group service TCP_Ports tcp

port-object eq netbios-ssn

port-object eq 137

port-object eq 135

port-object eq https

object-group service UDP_Ports udp

port-object eq 139

port-object eq netbios-ns

port-object eq 135

object-group network Network_144_38

description Allowed External Network to access Server90

network-object 144.38.38.0 255.255.255.0

access-list outside_access_in permit tcp object-group Network_144_38 host Server90 object-group TCP_Ports

access-list outside_access_in permit udp object-group Network_144_38 host Server90 object-group UDP_Ports

ip address outside 38.10.10.2 255.255.255.0

ip address inside 192.168.10.1 255.255.255.0

static (inside,outside) 38.10.10.90 Server90 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 38.10.10.1 --> your next-hop router

*****************************************************

To verify ACL, issue the "sh access-list" command, as follow:

PIXFW(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 8 elements

access-list outside_access_in line 1 permit tcp object-group Network_144_38 host Server90 object-group TCP_Ports

access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq netbios-ssn (hitcnt=0)

access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq 137 (hitcnt=0)

access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq 135 (hitcnt=0)

access-list outside_access_in line 1 permit tcp 144.38.38.0 255.255.255.0 host Server90 eq https (hitcnt=0)

access-list outside_access_in line 2 permit udp object-group Network_144_38 host Server90 object-group UDP_Ports

access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq 139 (hitcnt=0)

access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq netbios-ns (hitcnt=0)

access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq 135 (hitcnt=0)

access-list outside_access_in line 2 permit udp 144.38.38.0 255.255.255.0 host Server90 eq 443 (hitcnt=0)

PIXFW(config)#

To allow outsider to access your server, you have to translate the server's private IP to public IP.

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card