07-07-2008 12:52 PM - edited 03-11-2019 06:10 AM
Hi,
I'm not much up on Pix firewalls, so I am hoping someone here can answer this question: How would I modify the config below to allow ONLY The following IP's to access 10.2.2.8
192.168.102.85
192.168.111.60
192.168.111.62
192.168.111.50
Running Config:(all I have to go on right now, attached)
07-07-2008 03:30 PM
Hi James
access-list outside_access_in permit ip host 192.168.111.60 host s-gc-docimg
access-list outside_access_in permit ip host 192.168.102.85 host s-gc-docimg
access-list outside_access_in permit ip host 192.168.111.62 host s-gc-docimg
access-list outside_access_in permit ip host 192.168.111.50 host s-gc-docimg
access-group outside_access_in in interface outside
Regards
07-07-2008 03:34 PM
Btw, the following command makes all other nat statements useless
access-list 100 permit ip any any
nat (inside) 0 access-list 100
07-07-2008 03:41 PM
Thanks for your response. So if i understand you correctly, remove the nat statements you mentioned, create and apply tghe access-list statements you mentioned and it should work, am I correct?
07-08-2008 01:28 PM
Removing the nat satatement would affect some traffic if this firewall is used like a router that doesnt have nat enabled by default. That statement might have been issued on purpose to not to spend time on detailed traffic definitions with statics.
If you decide to remove that NAT statement, make sure you enter the following
static (inside,outside) s-gc-docimg s-gc-docimg netmask 255.255.255.255
Regards
07-08-2008 06:28 PM
Thanks for the reply:
Question, I did as you suggested and also added the nat statement you recommended after removing the others and no connection by those ip addreses was able to be made. i also tried it without your recommended nat stement and putting the exisiting ones back in with no luck. Since their is a site to site vpn involved, wouldn't similiar changes need to be made on the other side? (They do not have access to the other side device)
07-09-2008 04:30 AM
"Since their is a site to site vpn involved"
Ah... Now all makes sense.
First of all, your interesting traffic ACL 120 should not contain any any statement unless you want all your connection (including your internet) to go over the tunnel.
Assuming that remote site's local network is 192.168.111.0/24, here is the necessary config.
access-list inside_nat0_outbound permit ip 10.4.28.0 255.255.255.0 192.168.111.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-list 120 permit ip 10.4.28.0 255.255.255.0 192.168.111.0 255.255.255.0
no access-list 120 permit ip any any
no static (inside,outside) s-gc-docimg s-gc-docimg netmask 255.255.255.255
no access-list 100 permit ip any any
no access-list AgendaManager permit ip any any
no access-list AgendaManager permit icmp any any
no access-list AgendaManager permit tcp any any
no access-list outside_access_in permit ip host 192.168.111.60 host s-gc-docimg
no access-list outside_access_in permit ip host 192.168.102.85 host s-gc-docimg
no access-list outside_access_in permit ip host 192.168.111.62 host s-gc-docimg
no access-list outside_access_in permit ip host 192.168.111.50 host s-gc-docimg
no access-group outside_access_in in interface outside
fixup protocol icmp
clear xlate
Please post the latest config after above modifications.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide