Solved: How do I open a port and limit the address range that uses it on PIX 515?

cookie999 · ‎10-26-2004

I have a Pix 515 v6.3 and a new piece of software that I'm getting soon will need have port 5080 open for inbound & outbound HTTP traffic. The server will be in my DMZ at 10.0.0.1

I would like to restrict inbound access to this port so that it can only be used from 4 specific foreign IP adderess xxx.xxx.xxx.24 thru xxx.xxx.xxx.27 and also,if possible, restrict the destination outbound traffic using this port to a single specific foreign IP adress xxx.xxx.xxx.30.

Could you please advise me of the best way to do this.

Many Thanks in advance from a relative PIX newbie.

Patrick Iseli · ‎10-26-2004

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.24 host MyWWWPublicIP eq 5080

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.25 host MyWWWPublicIP eq 5080

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.26 host MyWWWPublicIP eq 5080

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.27 host MyWWWPublicIP eq 5080

PIX(config)# access-group acl-outside in interface outside

PIX(config)# access-list acl-dmx permit tcp host 10.0.0.1 host xxx.xxx.xxx.30 eq 5080

PIX(config)# access-group acl-dmz in interface dmz

static (inside,outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

See also:

PIX 500 Series Firewalls

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

Configuring the PIX Firewall with Mail Server Access on DMZ Network

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

sincerely

Patrick

View solution in original post

Patrick Iseli · ‎10-26-2004

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.24 host MyWWWPublicIP eq 5080

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.25 host MyWWWPublicIP eq 5080

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.26 host MyWWWPublicIP eq 5080

PIX(config)# access-list acl-outside permit tcp host xxx.xxx.xxx.27 host MyWWWPublicIP eq 5080

PIX(config)# access-group acl-outside in interface outside

PIX(config)# access-list acl-dmx permit tcp host 10.0.0.1 host xxx.xxx.xxx.30 eq 5080

PIX(config)# access-group acl-dmz in interface dmz

static (inside,outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

See also:

PIX 500 Series Firewalls

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

Configuring the PIX Firewall with Mail Server Access on DMZ Network

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

sincerely

Patrick

cookie999 · ‎10-27-2004

Thanks Patrick, Your help is very much appreciated,

Regards,

Colin

Patrick Iseli · ‎10-27-2004

Little mistake !!

static (inside,outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

should be:

static (dmz,outside) MyWWWPublicIP 10.0.0.1 netmask 255.255.255.255 0 0

As this server is supposed to be in the DMZ isn't it.

sincerely

Patrick

cookie999 · ‎10-27-2004

Thanks for putting that right.

Regards

Colin