07-15-2004 07:30 AM - edited 02-20-2020 09:25 PM
Good Morning all.
I have noticed that I am unable to deny access to an ip that is statically mapped from the inside to the web interface of my 535 firewall running 6.3.3. I entered the following.
Static (inside,web) 10.1.1.1 10.1.1.1 255.255.255.255
access-list web permit ip host 10.1.1.1 host 10.5.0.76
access-list web in interface web
the network number of the web is 10.51.0.0 255.255.0.0
For some reason I can ping the 10.1.1.1 from every interface on the web. I want to restrict it. I am allowing icmp on the incoming access-list which is binded to the inside interface. Let me know what you guys think?
Thanks
Tripp
07-15-2004 07:31 AM
Static (inside,web) 10.1.1.1 10.1.1.1 255.255.255.255
access-list web permit ip host 10.1.1.1 host 10.51.0.76
access-list web in interface web
07-15-2004 09:20 AM
Tripp,
I am confused by what you are trying to accomplish. The 10.1.1.1 host is on your inside interface yet you created an access-list applied *inbound* on your web interface that permits packets sourced from 10.1.1.1 and destined for 10.51.0.76 (I saw the corrected output). The web interface should never see packets inbound that match this ACL. And based on your description, it would seem you are trying to deny the packets from the hosts on the web interface to the 10.1.1.1 host on the inside. Is that correct? If so, you want to swap your source and destination addresses in your ACL entry and make it a deny rather than a permit.
If I have mis-understood anything here, let me know.
Scott
07-15-2004 10:37 AM
Scott,
Thanks for the reply. I am trying to set up a domain trust with the inside server and a server on the web interface. THe only way to do that is to make the static mapping the same ip on both interfaces. WHich you see with the 10.1.1.1 mapping, however; I do not want any other hosts to be able to communicate with the 10.1.1.1 other than the 10.51.0.76 and 77. DOes that help any?
Tripp
07-15-2004 11:54 AM
Ahh, OK, somewhat more clear. You need to swap your source and destination addresses in your access-list statement then. Remember, ACL's on a PIX are only applied inbound (for now) so you need to view the permissions based on what the ewb interface is going to see coming into it (that being a packet sourced from 10.51.X.X destined for 10.1.1.1. Let me know if this helps.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide