Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
6
Helpful
4
Replies

permitting traffic through pix 501

jcajuste
Level 1
Level 1

‎09-16-2003 06:32 PM - edited ‎02-20-2020 10:59 PM

I have a class c network. 192.168.1.0 /24

i have several web,ftp and mail server 192.168.1.100 - 180

I also have two dns server 192.168.1.35,192.168.1.45

the problem is that i need to allow traffic from the outside to these webservers each host is a different server. how do i do this without having to enter the different static and access-list commands

for example

static (inside,outside) 10.0.0.100 192.168.1.100 netmask 255.255.255.255

access-list in permit tcp any host 10.0.0.100 eq www

access-list in permit tcp any host 10.0.0.100 eq smtp

access-list in permit tcp any host 10.0.0.100 eq ftp

i do not want to do this for 255 address that would be crazy

please help

0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎09-16-2003 09:18 PM

You prety much do have to do it for all addresses, but it's easier of you can group them together. If you need to do it for all 255 addresses then it's easy, just do:

static (inside,outside) 10.0.0.0 192.168.1.0 netmask 255.255.255.0

access-list in permit tcp any host 10.0.0.0 eq www

access-list in permit tcp any host 10.0.0.0 eq smtp

access-list in permit tcp any host 10.0.0.0 eq ftp

If you only need to do it for 100-180 then it gets a little more difficult, as you have to group these together but with subnet masking it gets difficult.

Also I would recommend using an object group for the protocols in the access-list as follows:

objet-group service allowed_prots tcp

port-object eq ftp

port-object eq www

port-object eq smtp

access-list in permit tcp any host x.x.x.x object-group allowed_prots

This'll save two access-list lines per host. See http://www.cisco.com/warp/public/707/pix_obj_grp.html for details.

jcajuste
Level 1
Level 1
In response to gfullage

‎09-17-2003 03:29 AM

thanks for the object gorup. but i still have to do for each address.

0 Helpful

mostiguy
Level 6
Level 6
In response to jcajuste

‎09-17-2003 04:43 AM

use netblocks

192.168.10.100 255.255.255.252 (covers 192.168.10.100 through 103)

192.168.10.104 255.255.255.248 (covers 192.168.10.104 through 111)

192.168.10.112 255.255.255.240 (covers 192.168.10.112 through 127)

192.168.10.128 255.255.255.224 (covers 192.168.10.128 through 159)

192.168.10.160 255.255.255.240 (covers 192.168.10.160 through 175)

192.168.10.176 255.255.255.252 (covers 192.168.10.176 though 179)

192.168.10.180 255.255.255.255

Those statements will cover all of your ip address space for your servers

jcajuste
Level 1
Level 1
In response to mostiguy

‎09-17-2003 07:31 AM

thank you, but forgive me for not being so bright.

will the pix know to translate 10.0.0.100 to 192.168.10.100. ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card