03-15-2005 05:41 AM - edited 02-21-2020 12:00 AM
I'm an amateur at this so please be patient with me.
One of my users is getting an application that needs to communicate with the vendors host. The vendor tells me that my users workstation needs a public IP to make this work but they have made it work witha NAT'ed IP. That would be my preferred method of commection as giving that user a public IP would be a difficult task.
The question is, how do I go about configuring this users IP address for port 80 and a few other ports (I haven't been given the other ports yet)?
Relevant config info:
>access-list outbound permit ip any any
>ip address outside 170.x.x.242 255.255.255.248
>ip address inside 10.x.x.1 255.255.254.0
>route outside 0.0.0.0 0.0.0.0 170.x.x.241 1
Based on other access rules we have set up for other needs, this is what I'm thinking of adding:
>access-list inbound permit ip any host 170.x.x.246
>static (inside,outside) 170.x.x.246 10.x.x.38 netmask 255.255.255.255 0 0
Would that be correct and if not, what am I missing? If any other information is needed, let me know.
Thanks in advance,
Ben
Solved! Go to Solution.
04-06-2005 10:05 AM
Do you have the line:
sysopt connection permit-ipsec
in the configuration ?
If yes thats why you could even remove the command line that permits ESP. As the sysopt opens IPSEC globaly and does not check the access-list on the interfaces.
sincerely
Patrick
03-15-2005 06:02 AM
This would work but would open a backdoor to your network.
Better restrict the access-list to something like this bellow and also restrict the protocol to http !!
>access-list inbound permit tcp host PartnerPublicIP host 170.x.x.246 eq www
>static (inside,outside) 170.x.x.246 10.x.x.38 netmask 255.255.255.255 0 0
sincerely
Patrick
03-15-2005 06:30 AM
Thanks Patrick.
Questions:
Can I assume that the PartnerPublicIP is the IP address of the application host? Also, should "host" be included before and after PartnerPublicIP?
And, does eq www take into account the other ports that will need to be opened?
Finally, I'm dealing with an IT person on the other end with limited experience like myself. How would their configuration be set up to correspond with mine?
Thanks again,
Ben
03-15-2005 10:26 AM
Hi Ben,
1.) The host statement is before the Public IP.
2.) For each port that your client has to connect to your internal server you have to add a access-list line or you can work with object groups.
example:
PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 25
PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 443
PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 80
PIX(config)# access-list acl-outside permit tcp host PartnerPubIP host MyPublicIP eq 21
PIX(config)# access-group acs-outside in interface outside
static (inside,outside) MyPublicIP 10.0.0.1 netmask 255.255.255.255
Dont forget to do a "clear xlate" after changing / add the static line.
See examples on cisco:
Using and Configuring PIX Object Groups:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
Other examples:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration
sincerely
Patrick
03-31-2005 09:03 AM
Patrick,
Just a follow-up to this thread from 2 weeks ago . . .
Once I got all the information I needed from my vendor, these were the commands I added:
>access-list inbound permit esp host 170.x.x.130 host 170.x.x.246
>static (inside,outside) 170.x.x.246 10.x.x.38 netmask 255.255.255.255 0 0
I had a little help from another client who had recently gotten the software and he helped me with the "permit esp" command. I don't quite understand why we used this instead of "permit tcp", though. I was wondering if you might provide a brief explanation.
Thanks again, Ben
03-31-2005 01:43 PM
As soon as you have more details who will connect and with what port, tcp etc let me know and I will give you some guidance how to setup your configuration.
The example that you gave (access-list inbound permit esp host 170.x.x.130 host 170.x.x.246) allone will not work, this looks like an incomplete IPSEC excample.
Usually UDP 500 is also required for that.
example:
access-list inbound permit udp host 170.x.x.130 host 170.x.x.246 eq 500
access-list inbound permit esp host 170.x.x.130 host 170.x.x.246
But is it really that that your partner wants to do establish a VPN in the inside of your network or do you establish the connectivity ?
sincerely
Patrick
04-06-2005 09:32 AM
Curious.
You say the permit esp command alone will not work but it did, even without the udp 500 command added.
The connection is a VPN to the inside or their network and all tests thus far have been successful. Could that be the reason udp was not necessary?
Thanks, Ben
04-06-2005 10:05 AM
Do you have the line:
sysopt connection permit-ipsec
in the configuration ?
If yes thats why you could even remove the command line that permits ESP. As the sysopt opens IPSEC globaly and does not check the access-list on the interfaces.
sincerely
Patrick
04-06-2005 11:04 AM
Yes, I have that line in my configuration.
You've been a big help, Patrick.
Thanks for everything.
Ben
04-06-2005 11:12 AM
The pleasure is mine.
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide