Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
4
Helpful
6
Replies

Pix - Allowing ranges from 3 ips

metalcoat
Level 1
Level 1

‎08-24-2007 04:25 AM - edited ‎03-11-2019 04:02 AM

We have a pix firewall (external_ip) that is working perfectly. The problem is that we need to allow certain ports to a workstation (work_ip) from only 3 ips from a different company (outside_ip1,2,3).

The ports that need to be allowed to this workstation are 28000-28500 and 990. I have listed the commands I think should do it, any feedback or suggestions would be great.

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) tcp external_ip 990 work_ip 990 netmask 255.255.255.255 0 0

static (inside,outside) tcp external_ip 28000-28500 work_ip 28000-28500 netmask 255.255.255.255 0 0

Labels:
0 Helpful
6 Replies 6

metalcoat
Level 1
Level 1

‎08-24-2007 07:13 AM

Apparently I won't be able to use the static command for port ranges. I am very new to this.

0 Helpful

acomiskey
Level 10
Level 10

‎08-24-2007 07:19 AM

Since you're forwarding all the ports to the same server you can do this...

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) interface work_ip netmask 255.255.255.255

Please rate helpful posts.

metalcoat
Level 1
Level 1
In response to acomiskey

‎08-27-2007 10:54 AM

After trying that last command, It blocks all access to the internet from the rest of the workstations. Maybe a less wide static statement?

0 Helpful

acomiskey
Level 10
Level 10
In response to metalcoat

‎08-27-2007 11:08 AM

I'm sorry but are you saying that after you enter the static command that inside workstations cannot access the internet?

0 Helpful

metalcoat
Level 1
Level 1
In response to acomiskey

‎08-27-2007 11:38 AM

Correct, its one workstation that I am routing all the information from those ports to. When the last command (static) is entered it seems that all information from all ports is forwarded there. At least thats what I think is happening. I plan on testing the equipment anyway today, I will post back on my findings, thank you for the quick replies.

0 Helpful

acomiskey
Level 10
Level 10
In response to metalcoat

‎08-27-2007 12:07 PM

If you get a chance post a sanitized config for us to look at. thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card