09-16-2008 07:44 AM - edited 03-11-2019 06:44 AM
I need to open ports on the firewall for the following:
Port 80 From IP - 172.16.1.20 (in DMZ) to 195.118.216.163 (internal
network)
Port 1433 From IP 172.16.1.20 (in DMZ) to 195.118.216.163 (Internal
Network)
Also need to label the ports ie: 1433 SQL and HTTP 80 and specify a name for the rule ie: "Gateway to Swordfish Claims communication" if possible so we can keep track of the rules
Do do I configure this on a PIX firewall
Solved! Go to Solution.
09-16-2008 08:13 AM
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433
Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.
access-list dmz2internal extended remark Gateway to Swordfish Claims communication
Hope that helps.
09-16-2008 08:13 AM
You configure this in fw.
You can try something like this.
create no nat static entry
static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0
create object group for tcp with description
object-group service TCP_GW_SWORFISH tcp
description Gateway to Sorfish
port-object eq 1433
port-object eq 80
then acl
access-list DMZ_access_in remark gateway_to_sorfish
access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH
access-group DMZ_access_in in interface DMZ
09-16-2008 08:19 AM
Either way will work.
09-16-2008 08:29 AM
Second octet in the second IP, 1189 won't work.
09-16-2008 08:13 AM
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433
Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.
access-list dmz2internal extended remark Gateway to Swordfish Claims communication
Hope that helps.
09-16-2008 08:13 AM
You configure this in fw.
You can try something like this.
create no nat static entry
static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0
create object group for tcp with description
object-group service TCP_GW_SWORFISH tcp
description Gateway to Sorfish
port-object eq 1433
port-object eq 80
then acl
access-list DMZ_access_in remark gateway_to_sorfish
access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH
access-group DMZ_access_in in interface DMZ
09-16-2008 08:17 AM
Do I need to create an object group for this on pix.
09-16-2008 08:19 AM
Either way will work.
09-16-2008 08:27 AM
When I try to enter this acl it is giving me error invalid hostname.
access-list dmz2internal extended remark Gateway to Swordfish Claims communication
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80
access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433
09-16-2008 08:29 AM
Second octet in the second IP, 1189 won't work.
09-17-2008 12:14 AM
it worked thanks
09-16-2008 08:21 AM
you do not have to create object group, it is a matter of preference, I like to have object groups segregated so I group them as such so that I know who I use the group for, fruthermore creating groups is easy as you can add more tcp services to them as support to individual acls per tcp udp ports.. and I do agree with Collin as well..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide