cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
351
Views
0
Helpful
2
Replies

Access Rule (PIX 515E)

epohxavrio
Level 1
Level 1

I am trying to create an access rule in th e DMZ on a PIX 515E to one server in the DMZ (192.168.30.10) from two different IPs:

74.125.45.83

74.125.45.17

From these two IPs I want to permit https & ping traffic only. This is where I'm running into a problem.

[code]

access-list tsb-dmz extended permit icmp host 192.168.30.10 any

access-list tsb-dmz extended permit tcp host 192.168.30.10 any eq www

access-list tsb-dmz extended permit tcp host 192.168.30.10 any object-group DM_INLINE_TCP_1

access-list tsb-dmz extended permit tcp host 192.168.30.10 host 192.168.2.19 object-group SQL1433

access-list tsb-dmz extended permit tcp object-group DM_INLINE_NETWORK_2 host 64.4.33.7 eq https

access-list tsb-dmz extended permit ip any any inactive

access-list tsb-dmz extended permit object-group DM_INLINE_SERVICE_1 host 192.168.30.10 host 192.168.2.19

access-list tsb-dmz extended permit icmp any host 64.4.33.7

[/code]

the traffic is not coming through, what do I need to do?

2 Replies 2

Panos Kampanakis
Cisco Employee
Cisco Employee

What are the global ip addresses for the server?

Are the users going to be coming from the outside?

The you need to manipulate the outside ACL anbd maybe change the translation isd the sevrer is not translated.

You will need something like

access-l outside-acl permit tcp h 74.125.45.83 h eq 443

access-l outside-acl permit tcp h 74.125.45.17 h eq 443

access-l outside-acl permit icmp h 74.125.45.83 h

access-l outside-acl permit icmp h 74.125.45.17 h

static (dmz,outside) 192.168.30.10

I hope it helps.

PK

I'll try this

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: