Access List help

Unanswered Question
Mar 14th, 2007
User Badges:

Hello,


I have a question about configuring an access list? Can you use computer names instead of ip addresses. We have a pix in front of our SQL servers and workstation PC's that need to access the SQL servers are assigned DHCP addresses.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Wed, 03/14/2007 - 07:54
User Badges:
  • Gold, 750 points or more

hi,

if you want to use computer name,you need to configure the same in the pix.


example:


name 207.17.34.0 RediPlus2

name 216.35.59.0 RediPlus1

name 192.168.1.12 Themis02

name 1.1.1.1 abc

name 10.12.252.11 TACACS-2.6



use these names in the access-list.


Hope this helps.


Regards,

Sushil

allcastr Wed, 03/14/2007 - 07:54
User Badges:

Hello.


Yes you can but you need to give the IP address a name first. Here's an example


pixfirewall(config)# int e1

pixfirewall(config-if)# ip address 192.168.1.1

pixfirewall(config-if)# no shut

pixfirewall(config-if)# duplex full

pixfirewall(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ICMP: icmp_open Entry for context 0

pixfirewall(config-if)# exit

pixfirewall(config)#

pixfirewall(config)# name 192.168.1.100 SQL-SERVER

pixfirewall(config)# access-list inside-access permit ip host SQL-SERVER any

pixfirewall(config-if)# access-group inside-access in interface inside

pixfirewall(config)#

pixfirewall(config)#


I hope this helps.

brianwagerer Wed, 03/14/2007 - 12:20
User Badges:

That helps a little bit but i have to give DHCP clients access to a sql server behind the pix.

What if the IP on the client changes then i have to login and change it on the pix too.

suschoud Wed, 03/14/2007 - 12:25
User Badges:
  • Gold, 750 points or more

ok,plz clarify.

on which interface of pix, do we have the sql server.

on which interface of pix, do we have the workstations.


which code are u running on this pix?


also,please post the following:


sh nat..if code is 6.x

sh run nat..if code is 7.x

sh glo..if code is 6.x

sh run glo...if code is 7.x


sh static..if code is 6.x

sh run static..if code is 7.x


---------

acomiskey Wed, 03/14/2007 - 12:25
User Badges:
  • Green, 3000 points or more

If all the clients in the dhcp pool have access, then just allow the whole network.

acomiskey Wed, 03/14/2007 - 12:30
User Badges:
  • Green, 3000 points or more

Even if you could use computer name, how secure would that be if I knew what computer names were allowed access?

robfos123 Thu, 03/15/2007 - 16:09
User Badges:

What kind of DHCP server is in play? I've found the best way is to create a seperate scope on the DHCP server and make a rule for the address range or make an authentication rule for traffic destined for sql ports, then supply a username and password to the DB developers

Actions

This Discussion