×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

permitting traffic through pix 501

Unanswered Question
Sep 16th, 2003
User Badges:

I have a class c network. 192.168.1.0 /24

i have several web,ftp and mail server 192.168.1.100 - 180

I also have two dns server 192.168.1.35,192.168.1.45

the problem is that i need to allow traffic from the outside to these webservers each host is a different server. how do i do this without having to enter the different static and access-list commands


for example

static (inside,outside) 10.0.0.100 192.168.1.100 netmask 255.255.255.255

access-list in permit tcp any host 10.0.0.100 eq www

access-list in permit tcp any host 10.0.0.100 eq smtp

access-list in permit tcp any host 10.0.0.100 eq ftp


i do not want to do this for 255 address that would be crazy


please help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
gfullage Tue, 09/16/2003 - 21:18
User Badges:
  • Cisco Employee,

You prety much do have to do it for all addresses, but it's easier of you can group them together. If you need to do it for all 255 addresses then it's easy, just do:


static (inside,outside) 10.0.0.0 192.168.1.0 netmask 255.255.255.0

access-list in permit tcp any host 10.0.0.0 eq www

access-list in permit tcp any host 10.0.0.0 eq smtp

access-list in permit tcp any host 10.0.0.0 eq ftp


If you only need to do it for 100-180 then it gets a little more difficult, as you have to group these together but with subnet masking it gets difficult.


Also I would recommend using an object group for the protocols in the access-list as follows:


objet-group service allowed_prots tcp

port-object eq ftp

port-object eq www

port-object eq smtp


access-list in permit tcp any host x.x.x.x object-group allowed_prots


This'll save two access-list lines per host. See http://www.cisco.com/warp/public/707/pix_obj_grp.html for details.


jcajuste Wed, 09/17/2003 - 03:29
User Badges:

thanks for the object gorup. but i still have to do for each address.

use netblocks


192.168.10.100 255.255.255.252 (covers 192.168.10.100 through 103)

192.168.10.104 255.255.255.248 (covers 192.168.10.104 through 111)

192.168.10.112 255.255.255.240 (covers 192.168.10.112 through 127)

192.168.10.128 255.255.255.224 (covers 192.168.10.128 through 159)

192.168.10.160 255.255.255.240 (covers 192.168.10.160 through 175)

192.168.10.176 255.255.255.252 (covers 192.168.10.176 though 179)

192.168.10.180 255.255.255.255


Those statements will cover all of your ip address space for your servers


jcajuste Wed, 09/17/2003 - 07:31
User Badges:

thank you, but forgive me for not being so bright.

will the pix know to translate 10.0.0.100 to 192.168.10.100. ?



Actions

This Discussion