08-24-2007 04:25 AM - edited 03-11-2019 04:02 AM
We have a pix firewall (external_ip) that is working perfectly. The problem is that we need to allow certain ports to a workstation (work_ip) from only 3 ips from a different company (outside_ip1,2,3).
The ports that need to be allowed to this workstation are 28000-28500 and 990. I have listed the commands I think should do it, any feedback or suggestions would be great.
access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990
access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990
access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990
access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500
access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500
access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500
static (inside,outside) tcp external_ip 990 work_ip 990 netmask 255.255.255.255 0 0
static (inside,outside) tcp external_ip 28000-28500 work_ip 28000-28500 netmask 255.255.255.255 0 0
08-24-2007 07:13 AM
Apparently I won't be able to use the static command for port ranges. I am very new to this.
08-24-2007 07:19 AM
Since you're forwarding all the ports to the same server you can do this...
access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990
access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990
access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990
access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500
access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500
access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500
static (inside,outside) interface work_ip netmask 255.255.255.255
Please rate helpful posts.
08-27-2007 10:54 AM
After trying that last command, It blocks all access to the internet from the rest of the workstations. Maybe a less wide static statement?
08-27-2007 11:08 AM
I'm sorry but are you saying that after you enter the static command that inside workstations cannot access the internet?
08-27-2007 11:38 AM
Correct, its one workstation that I am routing all the information from those ports to. When the last command (static) is entered it seems that all information from all ports is forwarded there. At least thats what I think is happening. I plan on testing the equipment anyway today, I will post back on my findings, thank you for the quick replies.
08-27-2007 12:07 PM
If you get a chance post a sanitized config for us to look at. thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide