Most organizations need to allow untrusted hosts access to resources in their trusted network. A common example is an internal web server. By default, the PIX denies connections from outside hosts to inside hosts. In order to allow this connection in NAT control mode, use the static command, with access-list and access-group commands. If NAT control is disabled, only the access-list and access-group commands are required, if no translation is performed.
Apply ACLs to interfaces with an access-group command. This command associates the ACL with the interface to examine traffic that flows in a particular direction.
In contrast to the nat and global commands which allow inside hosts out, the static command creates a two-way translation that allows inside hosts out and outside hosts in if you add the proper ACLs/groups.
In the PAT configuration examples shown in this document, if an outside host tries to connect to the global address, it can be used by thousands of inside hosts. The static command creates a one-to-one mapping. The access-list command defines what type of connection is allowed to an inside host and is always required when a lower security host connects to a higher security host. The access-list command is based on both port and protocol and can be very permissive or very restrictive, based on what the system administrator wants to achieve.
The network diagram in this document illustrates the use of these commands in order to configure the PIX to allow any untrusted hosts to connect to the inside web server, and allow untrusted host 192.168.1.1 access to an FTP service on the same machine.
Use ACLs on PIX Versions 7.0 and Later
Complete these steps for PIX software versions 7.0 and later with the use of ACLs.
If NAT control is enabled, define a static address translation for the inside web server to an outside/global address.
static (inside, outside) 172.16.1.16 10.16.1.16
Define which hosts can connect on which ports to your web/FTP server.
access-list 101 permit tcp any host 172.16.1.16 eq www
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :