PIX configurations

xhackuss1 · ‎11-16-2006

I am configuring a VPN between my network and a customer who has a range of host that will be accessing my host. I am sadled with how to configure an access-list on my PIX to accept a range of host ip addresses from my partnet,say x.x.x.183 to x.x.x.212.

Somebody please help me with this ACL. I am using an extended ACL

a.kiprawih · ‎11-18-2006

*Firewall Forum*

You can use object-group and one line of ACL, or used multiple ACLs to include all addresses.

Apply/bind the ACL on your outside interface.

And for you to allow your partner to access your internal servers/resources, I assumed you already defined static map of internal to Public IP.

Configuration example:

1. Object-group listing partner's IP:

object-group network PARTNER-IP

network-object host 100.100.100.183

network-object host 100.100.100.184

network-object host 100.100.100.212

2. Access-list on Outside interface

access-list outside permit ip object-group PARTNER-IP host x.x.x.100 ---> permit all tcp/udp to single internal host

access-list outside permit tcp object-group PARTNER-IP host x.x.x.101 eq https --> allow only tcp/https

access-list outside permit udp object-group PARTNER-IP host 1.1.1.101 eq domain --> allow only udp/Domain@dns

access-group outside in interface outside

*You can create ACL without 'extended' keyword as it will be added automatically by PIX.

3. Static NAT/map of internal server to public IP. Assuming internal IP is 10.1.1.40

static (inside,outside) x.x.x.100 10.1.1.40 netmask 255.255.255.255 --> map internal 10.1.1.40 to public IP x.x.x.100

static (inside,outside) x.x.x.101 10.1.1.41 netmask 255.255.255.255 --> map internal 10.1.1.40 to public IP x.x.x.101

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

HTH

AK