Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
1
Replies

FWSM: How To allow access to both NAT and local IPs

bkhickman
Level 1
Level 1

‎06-16-2005 09:56 AM - edited ‎03-09-2019 11:35 AM

Trying to configure a FWSM for the first time. I would like to have my DMZ accessible by both a static NAT and its local IP. Can't seem to figure it out.

I know I will need to disable icmp before I go into production but here is my context configuration so far. I want to be able to get to the devise by using both the 172.30.15.12 and 172.30.15.18 IPs:

FWSM/comptroller# sh run

: Saved

:

FWSM Version 2.2(1) <context>

nameif vlan119 outside security0

nameif vlan120 inside security100

enable password xxx

passwd xxxx

hostname comptroller

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol icmp

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

access-list INSIDE extended permit icmp any any

access-list INSIDE extended permit tcp any any eq www

access-list INSIDE extended permit tcp any any eq ftp

access-list INSIDE extended permit tcp any any eq telnet

access-list OUTSIDE extended permit icmp any any

access-list OUTSIDE extended permit tcp any any eq ftp

access-list OUTSIDE extended permit tcp any any eq www

access-list OUTSIDE extended permit tcp host 172.30.4.234 host 172.30.15.12 eq t

elnet

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 172.30.15.3 255.255.255.240

ip address inside 172.30.15.17 255.255.255.240

no pdm history enable

arp timeout 14400

static (inside,outside) 172.30.15.12 172.30.15.18 netmask 255.255.255.255

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

!

interface outside

!

!

interface inside

!

!

route outside 0.0.0.0 0.0.0.0 172.30.15.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h3

23 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp

floodguard enable

fragment size 200 outside

fragment chain 24 outside

fragment size 200 inside

fragment chain 24 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxx

: end

Thanks,

Brian

Labels:
0 Helpful
1 Reply 1

jechen
Level 1
Level 1

‎06-16-2005 06:07 PM

I think the command:

access-list OUTSIDE extended permit tcp host 172.30.4.234 host 172.30.15.12 eq telnet

will work. but I never tried the former two command before this.

try to change the any to 172.30.15.12, the command should looks like bellow:

access-list OUTSIDE extended permit tcp any 172.30.15.12 eq ftp

access-list OUTSIDE extended permit tcp any 172.30.15.12 eq www

and also, make sure the two vlans were added into this firewall context and the routing is no problem.

0 Helpful
Customers Also Viewed These Support Documents