09-16-2008 07:44 AM - edited 03-11-2019 06:44 AM
I need to open ports on the firewall for the following:
Port 80 From IP - 172.16.1.20 (in DMZ) to 195.118.216.163 (internal
network)
Port 1433 From IP 172.16.1.20 (in DMZ) to 195.118.216.163 (Internal
Network)
Also need to label the ports ie: 1433 SQL and HTTP 80 and specify a name for the rule ie: "Gateway to Swordfish Claims communication" if possible so we can keep track of the rules
Do do I configure this on a PIX firewall
Solved! Go to Solution.
09-16-2008 08:13 AM
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433
Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.
access-list dmz2internal extended remark Gateway to Swordfish Claims communication
Hope that helps.
09-16-2008 08:13 AM
You configure this in fw.
You can try something like this.
create no nat static entry
static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0
create object group for tcp with description
object-group service TCP_GW_SWORFISH tcp
description Gateway to Sorfish
port-object eq 1433
port-object eq 80
then acl
access-list DMZ_access_in remark gateway_to_sorfish
access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH
access-group DMZ_access_in in interface DMZ
09-16-2008 08:19 AM
Either way will work.
09-16-2008 08:29 AM
Second octet in the second IP, 1189 won't work.
09-16-2008 08:13 AM
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433
Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.
access-list dmz2internal extended remark Gateway to Swordfish Claims communication
Hope that helps.
09-16-2008 08:13 AM
You configure this in fw.
You can try something like this.
create no nat static entry
static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0
create object group for tcp with description
object-group service TCP_GW_SWORFISH tcp
description Gateway to Sorfish
port-object eq 1433
port-object eq 80
then acl
access-list DMZ_access_in remark gateway_to_sorfish
access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH
access-group DMZ_access_in in interface DMZ
09-16-2008 08:17 AM
Do I need to create an object group for this on pix.
09-16-2008 08:19 AM
Either way will work.
09-16-2008 08:27 AM
When I try to enter this acl it is giving me error invalid hostname.
access-list dmz2internal extended remark Gateway to Swordfish Claims communication
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433
09-16-2008 08:29 AM
Second octet in the second IP, 1189 won't work.
09-17-2008 12:14 AM
it worked thanks
09-16-2008 08:21 AM
you do not have to create object group, it is a matter of preference, I like to have object groups segregated so I group them as such so that I know who I use the group for, fruthermore creating groups is easy as you can add more tcp services to them as support to individual acls per tcp udp ports.. and I do agree with Collin as well..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: