Hi Federico

if i enter this commands to the CLI and then check in the  Cisco PDM i see that there are 3 new rules from the internal network to outside.

But i need to open this ports at the outside interface to intern!

Else my standard allow all rule from intern to extern is overwritten.

The access rules after the commands at CLI i attached as picture. As i see there the acces rules are from intern to extern.

Sebastian

Sebastian,

On your post you specify the requirements as outgoing (that's why I thought you need to open those ports in an outbound direction).

If you need to open them inbound... then the ACLs are like this:

access-list inbound permit tcp any any range 1025 65536access-list inbound permit udp any any eq 135

access-list inbound permit tcp any any eq 445

access-group inbound in interface outside

Now.... it is important to replace ''any'' with the network addresses to avoid security problems.

Also, remove the previos ACLs though.

Federico.

Thanks!

So if my backupserver have the IP 192.168.111.100 and the server who should be backuped the 192.168.110.100.

I will configure a Static NAT from 192.168.111.100 to 192.168.110.xxx/24

Then:

access-list inbound extended permit tcp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range 1025 65535

access-list inbound extended permit tcp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range eq 445

access-list inbound extended permit udp 192.168.110.0 255.255.255.0 host 192.168.110.xxx range eq 135

access-group inbound in interface inside

Is that ok? Where xxx is always the same IP at 192.168.110.0/24

So i read it at the "Cisco Security Appliance Command Line Configuration Guide" page 277.

Hope that is correct.

Sebastian

Yes,

If you have any problems please post your current configuration.

Federico.

Thanks again!

I will apply this rules tomorrow at customer site.

Another question... iam pretty new to Cisco and configured most things via ASDM.

If i apply this to my Test-ASA i can only see this rules at ASDM under VPN -> Group Policy -> Client Configuration -> Split Tunneling -> Extendet ACL

Should it not be visible at Security Policy -> Access Rules too ?

Sebastian

Yes, you should see the rules under Firewall - Access rules as well.

Federico.

Hi,

i set the access rules to the pix. But backup is still not possible. I installed the remote agend at the Server in 192.168.110.0 site.

At the backupserver 192.168.111.0 site i see the Server in 192.168.110.0 site.

But the backup agend sends data to backup server and from 192.168.110.0 to 192.168.111.0 all is allowed, so it is logical that backup programm see the remote server. But backup still dont work. Cant access to the server and select what i want to backup.

The static NAT route i set to a non used IP in 192.168.110.0 site. Dont know if that works, but so i understood at the Cisco CLI dokumentation.

The new PIX config i have attached.

Sebastian,

Do you need to access the server 192.168.111.100 from the outside of the PIX?
In that case you need to do the following:

no static (outside,inside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0
static (inside,outside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0

Also, you can only access the server with its NATed IP 192.168.110.250.
The inbound ACL is applied to the inside interface (you need to make sure the correct ports are allowed in that list).

Another thing,
In order to allow communication from the outside to the inside you require an ACL that is applied to the outside interface.
i.e.
access-list outside permit ip any host 192.168.110.119
access-group outside in interface outside

Note that you can access this server from the outside but not from the Internet since the NATed IP is a private IP.

Let me know what is failing after these changes.

Federico.

Hi Federico

no the server 192.168.111.100 is the backupserver (WAWI-SBS) and is located at the outside interface of the PIX.

I need to access a server in 192.168.110.0 subnet from the outside of the PIX.

I set the static NAT: static (outside,inside) 192.168.110.250 WAWI-SBS netmask 255.255.255.255 0 0

So i need to apply this commands to the PIX?

access-list outside permit ip any host 192.168.110.119
access-group outside in interface outside

I only need to access this server from outside not from internet.

Cant make changes at the PIX now, tomorrow i can do.

Let's say that you need to access server 192.168.110.10 from outside the PIX.

What you do is the following:

static (inside,outside) 192.168.110.10 192.168.110.10

access-list outside permit ip any host 192.168.110.10

access-group outside in interface outside

The above example is assuming that you don't need to NAT the server.

If you need to NAT 192.168.110.10 to 192.168.111.10 for example, you do this:

static (inside,outside) 192.168.111.10 192.168.110.10

access-list outside permit ip any host 192.168.111.10

access-group outside in interface outside

Federico.

Thanks

i attached a picture of the network. The green arrow shows the access i need with the special ports.

Only the 192.168.111.100 should can access to 192.168.110.0 subnet with the special ports.

Sebastian

static (inside,outside) 192.168.110.0 192.168.110.0 netmask 255.255.255.0
access-list outside permit tcp host 192.168.111.100 192.168.110.0 255.255.255.0 eq 80
access-group outside in interface outside

Sebastian,

The above configuration allows communication from outside host 192.168.111.100 to the internal LAN 192.168.110.0/24 only on the
ports that you specify in the ACL outside.
The above ACL is an example to allow port 80 (HTTP), you should include the ports you need to permit.

Federico.

Federico,

i will try this configuration at the PIX today.

But.... static (inside,outside) 192.168.110.0 192.168.110.0 netmask 255.255.255.0

two times 192.168.110.0? Is that ok so?

Sebastian