Pix - Allowing ranges from 3 ips

Unanswered Question
Aug 24th, 2007
User Badges:

We have a pix firewall (external_ip) that is working perfectly. The problem is that we need to allow certain ports to a workstation (work_ip) from only 3 ips from a different company (outside_ip1,2,3).


The ports that need to be allowed to this workstation are 28000-28500 and 990. I have listed the commands I think should do it, any feedback or suggestions would be great.


access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990


access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500



static (inside,outside) tcp external_ip 990 work_ip 990 netmask 255.255.255.255 0 0

static (inside,outside) tcp external_ip 28000-28500 work_ip 28000-28500 netmask 255.255.255.255 0 0


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
metalcoat Fri, 08/24/2007 - 07:13
User Badges:

Apparently I won't be able to use the static command for port ranges. I am very new to this.

acomiskey Fri, 08/24/2007 - 07:19
User Badges:
  • Green, 3000 points or more

Since you're forwarding all the ports to the same server you can do this...


access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990


access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500


static (inside,outside) interface work_ip netmask 255.255.255.255


Please rate helpful posts.

metalcoat Mon, 08/27/2007 - 10:54
User Badges:

After trying that last command, It blocks all access to the internet from the rest of the workstations. Maybe a less wide static statement?

acomiskey Mon, 08/27/2007 - 11:08
User Badges:
  • Green, 3000 points or more

I'm sorry but are you saying that after you enter the static command that inside workstations cannot access the internet?



metalcoat Mon, 08/27/2007 - 11:38
User Badges:

Correct, its one workstation that I am routing all the information from those ports to. When the last command (static) is entered it seems that all information from all ports is forwarded there. At least thats what I think is happening. I plan on testing the equipment anyway today, I will post back on my findings, thank you for the quick replies.

acomiskey Mon, 08/27/2007 - 12:07
User Badges:
  • Green, 3000 points or more

If you get a chance post a sanitized config for us to look at. thanks.

Actions

This Discussion