Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
3
Replies

PIX Firewall Configuration

cindylee27
Level 1
Level 1

‎01-18-2007 11:57 PM - edited ‎03-11-2019 02:21 AM

Gurus,

I have a question here. Lets say if there is one router (18.10.3.2) connected to 18.10.3.1 of PIX FW interface, and there is 172.1.1.0/24 network to come in to 18.10.3.10/24 (SAP Server) from the router, (routing : 0.0.0.0 0.0.0.0 18.10.3.1 ),

How to apply permit list on the PIX Inside interface?

Am i suppose to apply on 18.10.3.1(inside) interface ?

Thanks!

Labels:
0 Helpful
3 Replies 3

vijayasankar
Level 4
Level 4

‎01-19-2007 12:27 AM

Hi Cindy,

Where is the network 172.1.1.0/24. Is it outside your PIX.

If so, you need to apply the ACL on the outside interface of the pix, in the incoming direction.

access-group outside_acl in interface outside

In your acl outside_acl, you need to allow the segment 172.1.1.0/24 to access 18.10.3.10

access-list outside_acl permit ip 172.1.1.0 255.255.255.0 host 18.10.3.10

This acl will allow ip level access to the sap server from the segment 172.1.1.0/24.

Ideally you should be allowing only the relevant TCP port from 172.1.1.0/24 to your SAP server.

Revert back to us if you need further clarification.

Hope this helps. Kindly rate the post if it was helpful.

-VJ

0 Helpful

cindylee27
Level 1
Level 1
In response to vijayasankar

‎01-19-2007 12:34 AM

Thanks Vijay,

The network (172.1.1.0/24) comes to the inside interface of 18.10.3.1 PIX Inside Interface, but to 18.10.3.10 (SAP Server) which resides on the INSIDE Interface VLAN.

So, I am not too if the traffic will flow in to firewall as the route is to go firewall first,before going to 18.10.3.10 SAP Server.

Thanks,

0 Helpful

vijayasankar
Level 4
Level 4
In response to cindylee27

‎01-19-2007 12:50 AM

Hi Cindy,

Kindly clarify about your setup.

Where is the segment 172.1.1.0/24 located physically.?

Are they residing behind your inside interface of the firewall and you want to protect access to SAP server from this segment.?

This is not a good design.

As the source and destination segments are in your inside network, You cannot make this traffic to pass through firewall. ( unless you are using vlan segmentation of zones in your firewall, which i suppose not the case in your setup)

What do you want to achive?

If you want firewall protection for the SAP server from 172.1.1.0/24 segment, then you need to redesign the way in which your firewall is deployed.

If you dont want firewall protection for the sap server from the 172.1.1.0/24 segment, then you need to check the way routing is configured from the segment 172.1.1.0/24 till the sap server and do necessary changes, so that traffic from 172.1.1.0/24 segment will reach the SAP server with out passing through the firewall.

Kindly revert back with more details on your setup/requirement to us, if the above explanation doesn't apply to your network/needs.

Hope this helps.

-VJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card