access-group every access-list?

Answered Question
Mar 23rd, 2007

Basic config question:

If I have add an initial access-list rule (no others are defined yet):

access-list outbound permit icmp any any

access-group outbound in interface inside

AND then I want to add another access-list rule:

access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq www

Do I need to specicy the access-group command with each subsequent access-list rule I add to the same ID?

I have this problem too.
0 votes
Correct Answer by suschoud about 9 years 8 months ago

no.you do not need to add access-g command for each access-list statement with the same id.

access-g applies the access-list on an interface.

create n number of access-lists with the name of outbound.

create one access-g command with the same id and apply that on any of the interface.

remember,you can apply an access-list " let's say " outbound " on only one interface.

hth

sushil

cisco tac

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
suschoud Fri, 03/23/2007 - 09:00

no.you do not need to add access-g command for each access-list statement with the same id.

access-g applies the access-list on an interface.

create n number of access-lists with the name of outbound.

create one access-g command with the same id and apply that on any of the interface.

remember,you can apply an access-list " let's say " outbound " on only one interface.

hth

sushil

cisco tac

srberg5219 Fri, 03/23/2007 - 10:47

One last question. This is running on a PIX 506 with software version 5.1(2). I am stuck with this version as I do not have the appropriate clearances to download the most recent software as this was purchased pre-owned from a company...

Question:

When I add static commands (to allow access from the outside into a server on my network) do I need to use the correct network netmask or a generic 255.255.255.255 netmask?

Example:

Is this correct:

static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.0

OR IS THIS CORRECT:

static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.255

srberg5219 Fri, 03/23/2007 - 12:46

Maybe just one more config question:

Server A (IP 192.168.0.50): Front-end MS Exchange Server.

I can add a static command (and appropriate ACLs) as follows to allow access on port 25:

static (inside,outside) 192.168.254.25 192.168.0.50 netmask 255.255.255.255

Then when I go to add another static command to allow POP3 access on the same server as follows:

static (inside,outside) 192.168.254.110 192.168.0.50 netmask 255.255.255.255

I receive the following message:

192.168.0.50: That address already statically translated!

(This server will actually need to be accessible for 3 protocols: SMTP, POP3 and HTTPS-for OWA)

Apparently I am missing something and have searched all my manuals and Google to no avail...Do I combine all 3 protocols into one static command? If so, how do I format the 'eq' portion?

suschoud Fri, 03/23/2007 - 12:51

hi,

lets say,the public ip address of this mail server is : 1.1.1.1

then you need to map 1.1.1.1 to internal private ip address of mail server 192.168.0.50.

static (inside,outside) 1.1.1.1 192.168.0.50 netmask 255.255.255.255

as far as ports are concerned,

here's the config:

access-list out_in permit tcp any host 1.1.1.1 eq 110

access-list out_in permit tcp any host 1.1.1.1 eq 25

access-list out_in permit tcp any host 1.1.1.1 eq 443

access-g out_in in interface outside

so,we created a static mapping public ip of mail to its private ip.

we created access-lists on outside interface to permit the ports we need to open.

hth

sushil

srberg5219 Fri, 03/23/2007 - 12:52

DOH! I was thinking in the wrong direction!

My deepest gartitude for helping me learn!

Actions

This Discussion