Solved: Help with PIX configuration

patel.nishit · ‎09-16-2008

I need to open ports on the firewall for the following:

Port 80 From IP - 172.16.1.20 (in DMZ) to 195.118.216.163 (internal

network)

Port 1433 From IP 172.16.1.20 (in DMZ) to 195.118.216.163 (Internal

Network)

Also need to label the ports ie: 1433 SQL and HTTP 80 and specify a name for the rule ie: "Gateway to Swordfish Claims communication" if possible so we can keep track of the rules

Do do I configure this on a PIX firewall

Collin Clark · ‎09-16-2008

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433

Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.

access-list dmz2internal extended remark Gateway to Swordfish Claims communication

Hope that helps.

View solution in original post

JORGE RODRIGUEZ · ‎09-16-2008

You configure this in fw.

You can try something like this.

create no nat static entry

static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0

create object group for tcp with description

object-group service TCP_GW_SWORFISH tcp

description Gateway to Sorfish

port-object eq 1433

port-object eq 80

then acl

access-list DMZ_access_in remark gateway_to_sorfish

access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH

access-group DMZ_access_in in interface DMZ

Jorge Rodriguez

View solution in original post

Collin Clark · ‎09-16-2008

Either way will work.

View solution in original post

Collin Clark · ‎09-16-2008

Second octet in the second IP, 1189 won't work.

View solution in original post

Collin Clark · ‎09-16-2008

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433

Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.

access-list dmz2internal extended remark Gateway to Swordfish Claims communication

Hope that helps.

JORGE RODRIGUEZ · ‎09-16-2008

You configure this in fw.

You can try something like this.

create no nat static entry

static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0

create object group for tcp with description

object-group service TCP_GW_SWORFISH tcp

description Gateway to Sorfish

port-object eq 1433

port-object eq 80

then acl

access-list DMZ_access_in remark gateway_to_sorfish

access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH

access-group DMZ_access_in in interface DMZ

Jorge Rodriguez

patel.nishit · ‎09-16-2008

Do I need to create an object group for this on pix.

Collin Clark · ‎09-16-2008

Either way will work.

patel.nishit · ‎09-16-2008

When I try to enter this acl it is giving me error invalid hostname.

access-list dmz2internal extended remark Gateway to Swordfish Claims communication

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433

Collin Clark · ‎09-16-2008

Second octet in the second IP, 1189 won't work.

patel.nishit · ‎09-17-2008

it worked thanks

JORGE RODRIGUEZ · ‎09-16-2008

you do not have to create object group, it is a matter of preference, I like to have object groups segregated so I group them as such so that I know who I use the group for, fruthermore creating groups is easy as you can add more tcp services to them as support to individual acls per tcp udp ports.. and I do agree with Collin as well..

Jorge Rodriguez