Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
4
Replies

Static mappping and Access-list

dmepix
Level 1
Level 1

‎07-15-2004 07:30 AM - edited ‎02-20-2020 09:25 PM

Good Morning all.

I have noticed that I am unable to deny access to an ip that is statically mapped from the inside to the web interface of my 535 firewall running 6.3.3. I entered the following.

Static (inside,web) 10.1.1.1 10.1.1.1 255.255.255.255

access-list web permit ip host 10.1.1.1 host 10.5.0.76

access-list web in interface web

the network number of the web is 10.51.0.0 255.255.0.0

For some reason I can ping the 10.1.1.1 from every interface on the web. I want to restrict it. I am allowing icmp on the incoming access-list which is binded to the inside interface. Let me know what you guys think?

Thanks

Tripp

Labels:
0 Helpful
4 Replies 4

dmepix
Level 1
Level 1

‎07-15-2004 07:31 AM

Static (inside,web) 10.1.1.1 10.1.1.1 255.255.255.255

access-list web permit ip host 10.1.1.1 host 10.51.0.76

access-list web in interface web

0 Helpful

scoclayton
Level 7
Level 7

‎07-15-2004 09:20 AM

Tripp,

I am confused by what you are trying to accomplish. The 10.1.1.1 host is on your inside interface yet you created an access-list applied *inbound* on your web interface that permits packets sourced from 10.1.1.1 and destined for 10.51.0.76 (I saw the corrected output). The web interface should never see packets inbound that match this ACL. And based on your description, it would seem you are trying to deny the packets from the hosts on the web interface to the 10.1.1.1 host on the inside. Is that correct? If so, you want to swap your source and destination addresses in your ACL entry and make it a deny rather than a permit.

If I have mis-understood anything here, let me know.

Scott

0 Helpful

dmepix
Level 1
Level 1
In response to scoclayton

‎07-15-2004 10:37 AM

Scott,

Thanks for the reply. I am trying to set up a domain trust with the inside server and a server on the web interface. THe only way to do that is to make the static mapping the same ip on both interfaces. WHich you see with the 10.1.1.1 mapping, however; I do not want any other hosts to be able to communicate with the 10.1.1.1 other than the 10.51.0.76 and 77. DOes that help any?

Tripp

0 Helpful

scoclayton
Level 7
Level 7
In response to dmepix

‎07-15-2004 11:54 AM

Ahh, OK, somewhat more clear. You need to swap your source and destination addresses in your access-list statement then. Remember, ACL's on a PIX are only applied inbound (for now) so you need to view the permissions based on what the ewb interface is going to see coming into it (that being a packet sourced from 10.51.X.X destined for 10.1.1.1. Let me know if this helps.

Scott

0 Helpful
Customers Also Viewed These Support Documents