cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
419
Views
4
Helpful
6
Replies

Pix - Allowing ranges from 3 ips

metalcoat
Level 1
Level 1

We have a pix firewall (external_ip) that is working perfectly. The problem is that we need to allow certain ports to a workstation (work_ip) from only 3 ips from a different company (outside_ip1,2,3).

The ports that need to be allowed to this workstation are 28000-28500 and 990. I have listed the commands I think should do it, any feedback or suggestions would be great.

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) tcp external_ip 990 work_ip 990 netmask 255.255.255.255 0 0

static (inside,outside) tcp external_ip 28000-28500 work_ip 28000-28500 netmask 255.255.255.255 0 0

6 Replies 6

metalcoat
Level 1
Level 1

Apparently I won't be able to use the static command for port ranges. I am very new to this.

acomiskey
Level 10
Level 10

Since you're forwarding all the ports to the same server you can do this...

access-list outside-inbound permit tcp host outside_ip1 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip2 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip3 host external_ip eq 990

access-list outside-inbound permit tcp host outside_ip1 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip2 host external_ip range 28000-28500

access-list outside-inbound permit tcp host outside_ip3 host external_ip range 28000-28500

static (inside,outside) interface work_ip netmask 255.255.255.255

Please rate helpful posts.

After trying that last command, It blocks all access to the internet from the rest of the workstations. Maybe a less wide static statement?

I'm sorry but are you saying that after you enter the static command that inside workstations cannot access the internet?

Correct, its one workstation that I am routing all the information from those ports to. When the last command (static) is entered it seems that all information from all ports is forwarded there. At least thats what I think is happening. I plan on testing the equipment anyway today, I will post back on my findings, thank you for the quick replies.

If you get a chance post a sanitized config for us to look at. thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: