10-31-2009 09:32 AM - edited 03-11-2019 09:35 AM
I am trying to create an access rule in th e DMZ on a PIX 515E to one server in the DMZ (192.168.30.10) from two different IPs:
74.125.45.83
74.125.45.17
From these two IPs I want to permit https & ping traffic only. This is where I'm running into a problem.
[code]
access-list tsb-dmz extended permit icmp host 192.168.30.10 any
access-list tsb-dmz extended permit tcp host 192.168.30.10 any eq www
access-list tsb-dmz extended permit tcp host 192.168.30.10 any object-group DM_INLINE_TCP_1
access-list tsb-dmz extended permit tcp host 192.168.30.10 host 192.168.2.19 object-group SQL1433
access-list tsb-dmz extended permit tcp object-group DM_INLINE_NETWORK_2 host 64.4.33.7 eq https
access-list tsb-dmz extended permit ip any any inactive
access-list tsb-dmz extended permit object-group DM_INLINE_SERVICE_1 host 192.168.30.10 host 192.168.2.19
access-list tsb-dmz extended permit icmp any host 64.4.33.7
[/code]
the traffic is not coming through, what do I need to do?
10-31-2009 10:43 AM
What are the global ip addresses for the server?
Are the users going to be coming from the outside?
The you need to manipulate the outside ACL anbd maybe change the translation isd the sevrer is not translated.
You will need something like
access-l outside-acl permit tcp h 74.125.45.83 h
access-l outside-acl permit tcp h 74.125.45.17 h
access-l outside-acl permit icmp h 74.125.45.83 h
access-l outside-acl permit icmp h 74.125.45.17 h
static (dmz,outside)
I hope it helps.
PK
10-31-2009 01:07 PM
I'll try this
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide