Solved: ACL help on PIX 506E

ed-rucker · ‎12-11-2007

Hello All,

I have a PIX 506e v6.3. I need to provide outside access to port 80 and port 3389 on one inside client and access to port 1433 on another client. I've come up with access lists something like this: (12.12.12.12 is the outside interface on the pix and 24.24.24.24 is a remote location I want to have access)

access-list 110 permit tcp host 192.168.99.95 host 12.12.12.12 eq www

access-list 110 permit tcp host 192.168.99.94 host 12.12.12.12 eq 1433

access-list 110 permit tcp host 192.168.99.95 host 24.24.24.24 eq 3389

access-group 110 in interface outside

static (inside,outside) 12.12.12.12 192.168.99.95 netmask 255.255.255.255

static (inside,outside) 12.12.12.12 192.168.99.94 netmask 255.255.255.255

Thanks

husycisco · ‎12-11-2007

Hi Ed

Here is what you need

static (inside,outside) tcp interface www 192.168.99.95 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.99.95 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 1433 192.168.99.94 1433 netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq www

access-list outside_access_in permit tcp any interface outside eq 1433

access-list outside_access_in permit tcp host 24.24.24.24 interface outside eq 3389

access-group outside_access_in in interface outside

Regards

View solution in original post

husycisco · ‎12-11-2007

Do you want a remote location (24.24.24.24) to access your inside client (12.12.12.12)?

If you want to access remote location (24.24.24.24) from inside client (12.12.12.12) you dont need ACLs, if your default config is not flitered with inside_access_in

ed-rucker · ‎12-11-2007

12.12.12.12 is the outside interface on the pix.

husycisco · ‎12-11-2007

Would you please rephrase your situation by using "from" and "to"

btw you cant one-to-one map 1 IP to two hosts

static (inside,outside) 12.12.12.12 192.168.99.95 netmask 255.255.255.255

static (inside,outside) 12.12.12.12 192.168.99.94 netmask 255.255.255.255

And you cant map interface IP like that. I will start posting as I correctly understand the issue.

Regards

ed-rucker · ‎12-11-2007

ok

I need to go from outside any to inside 192.168.99.95 eq www

I need to go from outside any to inside 192.168.99.94 eq 1433

and last from outside 24.24.24.24 to inside 192.168.99.95 eq 3389

thanks

husycisco · ‎12-11-2007

Hi Ed

Here is what you need

static (inside,outside) tcp interface www 192.168.99.95 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.99.95 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 1433 192.168.99.94 1433 netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq www

access-list outside_access_in permit tcp any interface outside eq 1433

access-list outside_access_in permit tcp host 24.24.24.24 interface outside eq 3389

access-group outside_access_in in interface outside

Regards

ed-rucker · ‎12-11-2007

Thank You, Thank You, Thank You, You are most Excelante'! - Ed

husycisco · ‎12-11-2007

You are welcome