06-13-2008 11:10 AM - edited 03-11-2019 05:59 AM
Hopefully someone can help me. I am very new to Pix and am having a hard time understanding it. What I need to do is simply punch a hole in our firewall for a computer. I have very limited instructions that tell me I have to do a conf t to configure the terminal and I have to remove all entries then re-enter everything with the new information. How do I do this? And, is it just a certain block (such as the access-list) which I remove and re-enter? I need to add the lines:
access-list 200 permit tcp any host xx.xxx.xxx.228 eq 3389
access-list 200 permit tcp any host xx.xxx.xxx.228 eq www
then I know I need to add something like:
static (inside,outside) xx.xxx.xxx.228 xxx.xx.xx.23 dns netmask 255.255.255.255 0 0
Any help would be greatly appreciated. TIA!!
06-13-2008 12:49 PM
Hi
Simply select the line you want to remove, copy it, write no then paste the line. no statement at the beggining will remove %95 of issued commands.
Also do not forget to assign the ACL to interface
access-group 200 in interface outside
Regards
06-16-2008 04:00 AM
Thank you for your reply. I was told at one point in time you have to remove everything, then add it all back in again anytime you need to change something. Is that the case? And, if so, does everything mean EVERYTHING you see when you do a show config or is it just the block such as the lines beginning with access-list (as an example)? Also, I'm not sure what you mean by assign the ACL to interface. See, I really am newbee. Thanks again. Every little bit of information helps!
06-17-2008 06:31 AM
you need to remove the acl's and paste it again.No need to remove all acl's,it all depends on where you want to insert the acl.
If you remove all acl's for a particular interface,then you need to apply the acl agian to the interface.
06-19-2008 04:09 AM
Again, thank you for your response. Sorry to be so thick but I don't want to crash our pix when I do this. Below is a copy of our configuration. In order for me to add the lines:
access-list 200 permit tcp any host xx.xxx.xxx.228 eq 3389
access-list 200 permit tcp any host xx.xxx.xxx.228 eq www
Do I need to remove all entries that begin with 'access-list' or only the ones that begin with 'access-list 200'? Then, of course, reapply them with the new entries added. Then when I add:
static (inside,outside) xx.xxx.xxx.228 xxx.xx.xx.23 dns netmask 255.255.255.255 0 0
do I remove all 'static (inside,outside)' entries and reapply them (with the new entry added)?
Configuration:
names
access-list 101 permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list 101 permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list NONAT permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list NONAT permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list NONAT permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list NONAT permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list NONAT permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list NONAT permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list 102 permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list 102 permit ip xxx.xx.xx.0 255.255.255.0 xxx.xx.xx.0 255.255.255.0
access-list 200 permit ip xxx.xx.xx.0 255.255.255.0 any
access-list 200 permit tcp xxx.xxx.x.0 255.255.255.0 host xx.xxx.xxx.xxx
access-list 200 permit tcp xxx.xxx.x.0 255.255.255.0 host xx.xxx.xxx.234
access-list 200 permit tcp xx.xx.xxx.0 255.255.240.0 any eq ssh
access-list 200 permit tcp xxx.xxx.xxx.0 255.255.255.128 any eq ssh
access-list 200 permit tcp host xx.xx.xx.66 host xx.xxx.xxx.234
access-list 200 permit tcp any host xx.xxx.xxx.234 eq www
access-list 200 permit tcp any host xx.xxx.xxx.236 eq www
access-list 200 permit icmp any any
access-list 200 permit tcp xxx.xxx.x.0 255.255.255.0 host xx.xxx.xxx.235
access-list 200 permit tcp xx.xx.xx.0 255.255.240.0 any eq ssh
access-list 200 permit tcp host xx.xx.xx.66 host xx.xxx.xxx.235 eq 5900
access-list 200 permit tcp xxx.xxx.xxx.0 255.255.255.128 host xx.xxx.xxx.235
access-list 200 permit tcp xxx.xxx.xxx.0 255.255.255.128 host xx.xxx.xxx.234
access-list 200 permit tcp host xx.xx.xx.84 host xx.xxx.xxx.235
access-list 200 permit tcp any host xx.xxx.xxx.228 eq 3389
access-list 200 permit tcp any host xx.xxx.xxx.228 eq www
pager lines 20
static (inside,outside) xx.xxx.xxx.234 xxx.xx.xx.22 dns netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.236 xxx.xx.xx.31 dns netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.233 xxx.xx.xx.21 dns netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.235 xxx.xx.xx.20 dns netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.228 xxx.xx.xx.23 dns netmask 255.255.255.255 0 0
06-19-2008 09:45 AM
<< Do I need to remove all entries that begin with 'access-list' or only the ones that begin with 'access-list 200'? >>
No, you don't need to remove anything. PIX ACLs can be edited on the fly. The new ACL lines will appear at the end of the ACL. Like an extended IOS ACL, there is a way to optionally insert your two lines somewhere above within ACL 200 (not at the bottom). Let us know if you're interested in how to do this.
Good luck!
06-23-2008 03:59 AM
Thanks to all of you for your response. Really, it was such an easy task but considering I've never touched our pix before I wanted to make sure I knew exactly what to do. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide