Pix - Allowing ranges from 3 ips

Unanswered Question
Aug 24th, 2007

We have a pix firewall (external_ip) that is working perfectly. The problem is that we need to allow certain ports to a workstation (work_ip) from only 3 ips from a different company (outside_ip1,2,3).

The ports that need to be allowed to this workstation are 28000-28500 and 990. I have listed the commands I think should do it, any feedback or suggestions would be great.

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) tcp external_ip 990 work_ip 990 netmask 255.255.255.255 0 0

static (inside,outside) tcp external_ip 28000-28500 work_ip 28000-28500 netmask 255.255.255.255 0 0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
metalcoat Fri, 08/24/2007 - 07:13

Apparently I won't be able to use the static command for port ranges. I am very new to this.

acomiskey Fri, 08/24/2007 - 07:19

Since you're forwarding all the ports to the same server you can do this...

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) interface work_ip netmask 255.255.255.255

Please rate helpful posts.

metalcoat Mon, 08/27/2007 - 10:54

After trying that last command, It blocks all access to the internet from the rest of the workstations. Maybe a less wide static statement?

acomiskey Mon, 08/27/2007 - 11:08

I'm sorry but are you saying that after you enter the static command that inside workstations cannot access the internet?

metalcoat Mon, 08/27/2007 - 11:38

Correct, its one workstation that I am routing all the information from those ports to. When the last command (static) is entered it seems that all information from all ports is forwarded there. At least thats what I think is happening. I plan on testing the equipment anyway today, I will post back on my findings, thank you for the quick replies.

acomiskey Mon, 08/27/2007 - 12:07

If you get a chance post a sanitized config for us to look at. thanks.

Actions

This Discussion