03-23-2007 08:54 AM - edited 03-11-2019 02:51 AM
Basic config question:
If I have add an initial access-list rule (no others are defined yet):
access-list outbound permit icmp any any
access-group outbound in interface inside
AND then I want to add another access-list rule:
access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq www
Do I need to specicy the access-group command with each subsequent access-list rule I add to the same ID?
Solved! Go to Solution.
03-23-2007 09:00 AM
no.you do not need to add access-g command for each access-list statement with the same id.
access-g applies the access-list on an interface.
create n number of access-lists with the name of outbound.
create one access-g command with the same id and apply that on any of the interface.
remember,you can apply an access-list " let's say " outbound " on only one interface.
hth
sushil
cisco tac
03-23-2007 09:00 AM
no.you do not need to add access-g command for each access-list statement with the same id.
access-g applies the access-list on an interface.
create n number of access-lists with the name of outbound.
create one access-g command with the same id and apply that on any of the interface.
remember,you can apply an access-list " let's say " outbound " on only one interface.
hth
sushil
cisco tac
03-23-2007 10:47 AM
One last question. This is running on a PIX 506 with software version 5.1(2). I am stuck with this version as I do not have the appropriate clearances to download the most recent software as this was purchased pre-owned from a company...
Question:
When I add static commands (to allow access from the outside into a server on my network) do I need to use the correct network netmask or a generic 255.255.255.255 netmask?
Example:
Is this correct:
static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.0
OR IS THIS CORRECT:
static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.255
03-23-2007 10:56 AM
the second one is correct.
03-23-2007 12:46 PM
Maybe just one more config question:
Server A (IP 192.168.0.50): Front-end MS Exchange Server.
I can add a static command (and appropriate ACLs) as follows to allow access on port 25:
static (inside,outside) 192.168.254.25 192.168.0.50 netmask 255.255.255.255
Then when I go to add another static command to allow POP3 access on the same server as follows:
static (inside,outside) 192.168.254.110 192.168.0.50 netmask 255.255.255.255
I receive the following message:
192.168.0.50: That address already statically translated!
(This server will actually need to be accessible for 3 protocols: SMTP, POP3 and HTTPS-for OWA)
Apparently I am missing something and have searched all my manuals and Google to no avail...Do I combine all 3 protocols into one static command? If so, how do I format the 'eq' portion?
03-23-2007 12:51 PM
hi,
lets say,the public ip address of this mail server is : 1.1.1.1
then you need to map 1.1.1.1 to internal private ip address of mail server 192.168.0.50.
static (inside,outside) 1.1.1.1 192.168.0.50 netmask 255.255.255.255
as far as ports are concerned,
here's the config:
access-list out_in permit tcp any host 1.1.1.1 eq 110
access-list out_in permit tcp any host 1.1.1.1 eq 25
access-list out_in permit tcp any host 1.1.1.1 eq 443
access-g out_in in interface outside
so,we created a static mapping public ip of mail to its private ip.
we created access-lists on outside interface to permit the ports we need to open.
hth
sushil
03-23-2007 12:52 PM
DOH! I was thinking in the wrong direction!
My deepest gartitude for helping me learn!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: