03-14-2007 07:43 AM - edited 03-11-2019 02:46 AM
Hello,
I have a question about configuring an access list? Can you use computer names instead of ip addresses. We have a pix in front of our SQL servers and workstation PC's that need to access the SQL servers are assigned DHCP addresses.
03-14-2007 07:54 AM
hi,
if you want to use computer name,you need to configure the same in the pix.
example:
name 207.17.34.0 RediPlus2
name 216.35.59.0 RediPlus1
name 192.168.1.12 Themis02
name 1.1.1.1 abc
name 10.12.252.11 TACACS-2.6
use these names in the access-list.
Hope this helps.
Regards,
Sushil
03-14-2007 07:54 AM
Hello.
Yes you can but you need to give the IP address a name first. Here's an example
pixfirewall(config)# int e1
pixfirewall(config-if)# ip address 192.168.1.1
pixfirewall(config-if)# no shut
pixfirewall(config-if)# duplex full
pixfirewall(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ICMP: icmp_open Entry for context 0
pixfirewall(config-if)# exit
pixfirewall(config)#
pixfirewall(config)# name 192.168.1.100 SQL-SERVER
pixfirewall(config)# access-list inside-access permit ip host SQL-SERVER any
pixfirewall(config-if)# access-group inside-access in interface inside
pixfirewall(config)#
pixfirewall(config)#
I hope this helps.
03-14-2007 12:20 PM
That helps a little bit but i have to give DHCP clients access to a sql server behind the pix.
What if the IP on the client changes then i have to login and change it on the pix too.
03-14-2007 12:25 PM
ok,plz clarify.
on which interface of pix, do we have the sql server.
on which interface of pix, do we have the workstations.
which code are u running on this pix?
also,please post the following:
sh nat..if code is 6.x
sh run nat..if code is 7.x
sh glo..if code is 6.x
sh run glo...if code is 7.x
sh static..if code is 6.x
sh run static..if code is 7.x
---------
03-14-2007 12:25 PM
If all the clients in the dhcp pool have access, then just allow the whole network.
03-14-2007 12:28 PM
not all should have access only about 30 clients
03-14-2007 12:30 PM
Even if you could use computer name, how secure would that be if I knew what computer names were allowed access?
03-15-2007 04:09 PM
What kind of DHCP server is in play? I've found the best way is to create a seperate scope on the DHCP server and make a rule for the address range or make an authentication rule for traffic destined for sql ports, then supply a username and password to the DB developers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: