Solved: access-group every access-list?

srberg5219 · ‎03-23-2007

Basic config question:

If I have add an initial access-list rule (no others are defined yet):

access-list outbound permit icmp any any

access-group outbound in interface inside

AND then I want to add another access-list rule:

access-list outbound permit tcp 192.168.0.0 255.255.255.0 any eq www

Do I need to specicy the access-group command with each subsequent access-list rule I add to the same ID?

suschoud · ‎03-23-2007

no.you do not need to add access-g command for each access-list statement with the same id.

access-g applies the access-list on an interface.

create n number of access-lists with the name of outbound.

create one access-g command with the same id and apply that on any of the interface.

remember,you can apply an access-list " let's say " outbound " on only one interface.

hth

sushil

cisco tac

View solution in original post

suschoud · ‎03-23-2007

no.you do not need to add access-g command for each access-list statement with the same id.

access-g applies the access-list on an interface.

create n number of access-lists with the name of outbound.

create one access-g command with the same id and apply that on any of the interface.

remember,you can apply an access-list " let's say " outbound " on only one interface.

hth

sushil

cisco tac

srberg5219 · ‎03-23-2007

One last question. This is running on a PIX 506 with software version 5.1(2). I am stuck with this version as I do not have the appropriate clearances to download the most recent software as this was purchased pre-owned from a company...

Question:

When I add static commands (to allow access from the outside into a server on my network) do I need to use the correct network netmask or a generic 255.255.255.255 netmask?

Example:

Is this correct:

static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.0

OR IS THIS CORRECT:

static (inside,outside) 192.168.254.50 192.168.0.10 netmask 255.255.255.255

suschoud · ‎03-23-2007

the second one is correct.

srberg5219 · ‎03-23-2007

Maybe just one more config question:

Server A (IP 192.168.0.50): Front-end MS Exchange Server.

I can add a static command (and appropriate ACLs) as follows to allow access on port 25:

static (inside,outside) 192.168.254.25 192.168.0.50 netmask 255.255.255.255

Then when I go to add another static command to allow POP3 access on the same server as follows:

static (inside,outside) 192.168.254.110 192.168.0.50 netmask 255.255.255.255

I receive the following message:

192.168.0.50: That address already statically translated!

(This server will actually need to be accessible for 3 protocols: SMTP, POP3 and HTTPS-for OWA)

Apparently I am missing something and have searched all my manuals and Google to no avail...Do I combine all 3 protocols into one static command? If so, how do I format the 'eq' portion?

suschoud · ‎03-23-2007

hi,

lets say,the public ip address of this mail server is : 1.1.1.1

then you need to map 1.1.1.1 to internal private ip address of mail server 192.168.0.50.

static (inside,outside) 1.1.1.1 192.168.0.50 netmask 255.255.255.255

as far as ports are concerned,

here's the config:

access-list out_in permit tcp any host 1.1.1.1 eq 110

access-list out_in permit tcp any host 1.1.1.1 eq 25

access-list out_in permit tcp any host 1.1.1.1 eq 443

access-g out_in in interface outside

so,we created a static mapping public ip of mail to its private ip.

we created access-lists on outside interface to permit the ports we need to open.

hth

sushil

srberg5219 · ‎03-23-2007

DOH! I was thinking in the wrong direction!

My deepest gartitude for helping me learn!