09-16-2003 06:32 PM - edited 02-20-2020 10:59 PM
I have a class c network. 192.168.1.0 /24
i have several web,ftp and mail server 192.168.1.100 - 180
I also have two dns server 192.168.1.35,192.168.1.45
the problem is that i need to allow traffic from the outside to these webservers each host is a different server. how do i do this without having to enter the different static and access-list commands
for example
static (inside,outside) 10.0.0.100 192.168.1.100 netmask 255.255.255.255
access-list in permit tcp any host 10.0.0.100 eq www
access-list in permit tcp any host 10.0.0.100 eq smtp
access-list in permit tcp any host 10.0.0.100 eq ftp
i do not want to do this for 255 address that would be crazy
please help
09-16-2003 09:18 PM
You prety much do have to do it for all addresses, but it's easier of you can group them together. If you need to do it for all 255 addresses then it's easy, just do:
static (inside,outside) 10.0.0.0 192.168.1.0 netmask 255.255.255.0
access-list in permit tcp any host 10.0.0.0 eq www
access-list in permit tcp any host 10.0.0.0 eq smtp
access-list in permit tcp any host 10.0.0.0 eq ftp
If you only need to do it for 100-180 then it gets a little more difficult, as you have to group these together but with subnet masking it gets difficult.
Also I would recommend using an object group for the protocols in the access-list as follows:
objet-group service allowed_prots tcp
port-object eq ftp
port-object eq www
port-object eq smtp
access-list in permit tcp any host x.x.x.x object-group allowed_prots
This'll save two access-list lines per host. See http://www.cisco.com/warp/public/707/pix_obj_grp.html for details.
09-17-2003 03:29 AM
thanks for the object gorup. but i still have to do for each address.
09-17-2003 04:43 AM
use netblocks
192.168.10.100 255.255.255.252 (covers 192.168.10.100 through 103)
192.168.10.104 255.255.255.248 (covers 192.168.10.104 through 111)
192.168.10.112 255.255.255.240 (covers 192.168.10.112 through 127)
192.168.10.128 255.255.255.224 (covers 192.168.10.128 through 159)
192.168.10.160 255.255.255.240 (covers 192.168.10.160 through 175)
192.168.10.176 255.255.255.252 (covers 192.168.10.176 though 179)
192.168.10.180 255.255.255.255
Those statements will cover all of your ip address space for your servers
09-17-2003 07:31 AM
thank you, but forgive me for not being so bright.
will the pix know to translate 10.0.0.100 to 192.168.10.100. ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide