Re: Opening a port for SAP on PIX 506

shyamjm · ‎02-07-2002

I am having SAP servers on my network which I need external users to use , what access-list command should I be using for that. SAP uses tcp port 3200.

access-list 111 tcp ???

Also how can I can check if my firewall is stopping all unauthorized access ??

rrbleeker · ‎02-07-2002

You have to setup a static translation for each internal SAP server and create an access-list that states who can access what. the following example assumes:

internal server address : 172.16.1.1

external ip address for internal server: 200.1.1.1

external IP address that can access the server: 204.2.2.2 and 204.3.3.3

static (inside,outside) 200.1.1.1 172.16.1.1 netmask 255.255.255.255

access-list inbound permit tcp host 204.2.2.2 host 200.1.1.1 eq 3200

access-list inbound permit tcp host 204.3.3.3 host 200.1.1.1 eq 3200

access-group inbound in interface outside

I hope this helps.

shyamjm · ‎02-07-2002

Thanks that would really help, but the locations who are going to access my SAP servers do not have a static IP.

Also is there any way I can check whether my access-list are correct & unauthorized access is not allowed.

rrbleeker · ‎02-08-2002

In that case you need to use the 'any' keyword for the source IP addresses.

To verify if your acl entries are correct, you need to have it checked by a experienced PIX person.

shyamjm · ‎02-11-2002

Thanks buddy....that did work superbly

thanks again.