×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX Firewall Configuration

Unanswered Question
Jan 18th, 2007
User Badges:

Gurus,

I have a question here. Lets say if there is one router (18.10.3.2) connected to 18.10.3.1 of PIX FW interface, and there is 172.1.1.0/24 network to come in to 18.10.3.10/24 (SAP Server) from the router, (routing : 0.0.0.0 0.0.0.0 18.10.3.1 ),


How to apply permit list on the PIX Inside interface?


Am i suppose to apply on 18.10.3.1(inside) interface ?


Thanks!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vijayasankar Fri, 01/19/2007 - 00:27
User Badges:
  • Silver, 250 points or more

Hi Cindy,


Where is the network 172.1.1.0/24. Is it outside your PIX.


If so, you need to apply the ACL on the outside interface of the pix, in the incoming direction.


access-group outside_acl in interface outside

In your acl outside_acl, you need to allow the segment 172.1.1.0/24 to access 18.10.3.10


access-list outside_acl permit ip 172.1.1.0 255.255.255.0 host 18.10.3.10


This acl will allow ip level access to the sap server from the segment 172.1.1.0/24.

Ideally you should be allowing only the relevant TCP port from 172.1.1.0/24 to your SAP server.


Revert back to us if you need further clarification.

Hope this helps. Kindly rate the post if it was helpful.


-VJ


cindylee27 Fri, 01/19/2007 - 00:34
User Badges:

Thanks Vijay,

The network (172.1.1.0/24) comes to the inside interface of 18.10.3.1 PIX Inside Interface, but to 18.10.3.10 (SAP Server) which resides on the INSIDE Interface VLAN.


So, I am not too if the traffic will flow in to firewall as the route is to go firewall first,before going to 18.10.3.10 SAP Server.


Thanks,


vijayasankar Fri, 01/19/2007 - 00:50
User Badges:
  • Silver, 250 points or more

Hi Cindy,


Kindly clarify about your setup.

Where is the segment 172.1.1.0/24 located physically.?


Are they residing behind your inside interface of the firewall and you want to protect access to SAP server from this segment.?


This is not a good design.

As the source and destination segments are in your inside network, You cannot make this traffic to pass through firewall. ( unless you are using vlan segmentation of zones in your firewall, which i suppose not the case in your setup)


What do you want to achive?


If you want firewall protection for the SAP server from 172.1.1.0/24 segment, then you need to redesign the way in which your firewall is deployed.


If you dont want firewall protection for the sap server from the 172.1.1.0/24 segment, then you need to check the way routing is configured from the segment 172.1.1.0/24 till the sap server and do necessary changes, so that traffic from 172.1.1.0/24 segment will reach the SAP server with out passing through the firewall.


Kindly revert back with more details on your setup/requirement to us, if the above explanation doesn't apply to your network/needs.


Hope this helps.


-VJ




Actions

This Discussion