03-23-2007 08:54 AM - edited 03-11-2019 02:51 AM
Basic config question:
If I have add an initial access-list rule (no others are defined yet):
access-list outbound permit icmp any any
access-group outbound in interface inside
AND then I want to add another access-list rule:
access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq www
Do I need to specicy the access-group command with each subsequent access-list rule I add to the same ID?
Solved! Go to Solution.
03-23-2007 09:00 AM
no.you do not need to add access-g command for each access-list statement with the same id.
access-g applies the access-list on an interface.
create n number of access-lists with the name of outbound.
create one access-g command with the same id and apply that on any of the interface.
remember,you can apply an access-list " let's say " outbound " on only one interface.
hth
sushil
cisco tac
03-23-2007 09:00 AM
no.you do not need to add access-g command for each access-list statement with the same id.
access-g applies the access-list on an interface.
create n number of access-lists with the name of outbound.
create one access-g command with the same id and apply that on any of the interface.
remember,you can apply an access-list " let's say " outbound " on only one interface.
hth
sushil
cisco tac
03-23-2007 10:47 AM
One last question. This is running on a PIX 506 with software version 5.1(2). I am stuck with this version as I do not have the appropriate clearances to download the most recent software as this was purchased pre-owned from a company...
Question:
When I add static commands (to allow access from the outside into a server on my network) do I need to use the correct network netmask or a generic 255.255.255.255 netmask?
Example:
Is this correct:
static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.0
OR IS THIS CORRECT:
static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.255
03-23-2007 10:56 AM
the second one is correct.
03-23-2007 12:46 PM
Maybe just one more config question:
Server A (IP 192.168.0.50): Front-end MS Exchange Server.
I can add a static command (and appropriate ACLs) as follows to allow access on port 25:
static (inside,outside) 192.168.254.25 192.168.0.50 netmask 255.255.255.255
Then when I go to add another static command to allow POP3 access on the same server as follows:
static (inside,outside) 192.168.254.110 192.168.0.50 netmask 255.255.255.255
I receive the following message:
192.168.0.50: That address already statically translated!
(This server will actually need to be accessible for 3 protocols: SMTP, POP3 and HTTPS-for OWA)
Apparently I am missing something and have searched all my manuals and Google to no avail...Do I combine all 3 protocols into one static command? If so, how do I format the 'eq' portion?
03-23-2007 12:51 PM
hi,
lets say,the public ip address of this mail server is : 1.1.1.1
then you need to map 1.1.1.1 to internal private ip address of mail server 192.168.0.50.
static (inside,outside) 1.1.1.1 192.168.0.50 netmask 255.255.255.255
as far as ports are concerned,
here's the config:
access-list out_in permit tcp any host 1.1.1.1 eq 110
access-list out_in permit tcp any host 1.1.1.1 eq 25
access-list out_in permit tcp any host 1.1.1.1 eq 443
access-g out_in in interface outside
so,we created a static mapping public ip of mail to its private ip.
we created access-lists on outside interface to permit the ports we need to open.
hth
sushil
03-23-2007 12:52 PM
DOH! I was thinking in the wrong direction!
My deepest gartitude for helping me learn!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide