access-group every access-list?

Answered Question
Mar 23rd, 2007
User Badges:

Basic config question:


If I have add an initial access-list rule (no others are defined yet):

access-list outbound permit icmp any any

access-group outbound in interface inside


AND then I want to add another access-list rule:

access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq www


Do I need to specicy the access-group command with each subsequent access-list rule I add to the same ID?

Correct Answer by suschoud about 10 years 5 days ago

no.you do not need to add access-g command for each access-list statement with the same id.


access-g applies the access-list on an interface.


create n number of access-lists with the name of outbound.


create one access-g command with the same id and apply that on any of the interface.


remember,you can apply an access-list " let's say " outbound " on only one interface.


hth

sushil

cisco tac

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
suschoud Fri, 03/23/2007 - 09:00
User Badges:
  • Gold, 750 points or more

no.you do not need to add access-g command for each access-list statement with the same id.


access-g applies the access-list on an interface.


create n number of access-lists with the name of outbound.


create one access-g command with the same id and apply that on any of the interface.


remember,you can apply an access-list " let's say " outbound " on only one interface.


hth

sushil

cisco tac

srberg5219 Fri, 03/23/2007 - 10:47
User Badges:

One last question. This is running on a PIX 506 with software version 5.1(2). I am stuck with this version as I do not have the appropriate clearances to download the most recent software as this was purchased pre-owned from a company...


Question:

When I add static commands (to allow access from the outside into a server on my network) do I need to use the correct network netmask or a generic 255.255.255.255 netmask?


Example:

Is this correct:

static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.0


OR IS THIS CORRECT:


static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.255




suschoud Fri, 03/23/2007 - 10:56
User Badges:
  • Gold, 750 points or more

the second one is correct.



srberg5219 Fri, 03/23/2007 - 12:46
User Badges:

Maybe just one more config question:


Server A (IP 192.168.0.50): Front-end MS Exchange Server.


I can add a static command (and appropriate ACLs) as follows to allow access on port 25:

static (inside,outside) 192.168.254.25 192.168.0.50 netmask 255.255.255.255


Then when I go to add another static command to allow POP3 access on the same server as follows:

static (inside,outside) 192.168.254.110 192.168.0.50 netmask 255.255.255.255


I receive the following message:

192.168.0.50: That address already statically translated!


(This server will actually need to be accessible for 3 protocols: SMTP, POP3 and HTTPS-for OWA)


Apparently I am missing something and have searched all my manuals and Google to no avail...Do I combine all 3 protocols into one static command? If so, how do I format the 'eq' portion?

suschoud Fri, 03/23/2007 - 12:51
User Badges:
  • Gold, 750 points or more

hi,


lets say,the public ip address of this mail server is : 1.1.1.1


then you need to map 1.1.1.1 to internal private ip address of mail server 192.168.0.50.


static (inside,outside) 1.1.1.1 192.168.0.50 netmask 255.255.255.255


as far as ports are concerned,


here's the config:


access-list out_in permit tcp any host 1.1.1.1 eq 110


access-list out_in permit tcp any host 1.1.1.1 eq 25


access-list out_in permit tcp any host 1.1.1.1 eq 443



access-g out_in in interface outside



so,we created a static mapping public ip of mail to its private ip.


we created access-lists on outside interface to permit the ports we need to open.


hth


sushil




srberg5219 Fri, 03/23/2007 - 12:52
User Badges:

DOH! I was thinking in the wrong direction!


My deepest gartitude for helping me learn!

Actions

This Discussion