12-11-2007 01:50 AM - edited 03-11-2019 04:41 AM
Hello All,
I have a PIX 506e v6.3. I need to provide outside access to port 80 and port 3389 on one inside client and access to port 1433 on another client. I've come up with access lists something like this: (12.12.12.12 is the outside interface on the pix and 24.24.24.24 is a remote location I want to have access)
access-list 110 permit tcp host 192.168.99.95 host 12.12.12.12 eq www
access-list 110 permit tcp host 192.168.99.94 host 12.12.12.12 eq 1433
access-list 110 permit tcp host 192.168.99.95 host 24.24.24.24 eq 3389
access-group 110 in interface outside
static (inside,outside) 12.12.12.12 192.168.99.95 netmask 255.255.255.255
static (inside,outside) 12.12.12.12 192.168.99.94 netmask 255.255.255.255
Thanks
Solved! Go to Solution.
12-11-2007 04:35 AM
Hi Ed
Here is what you need
static (inside,outside) tcp interface www 192.168.99.95 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.99.95 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.99.94 1433 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 1433
access-list outside_access_in permit tcp host 24.24.24.24 interface outside eq 3389
access-group outside_access_in in interface outside
Regards
12-11-2007 01:58 AM
Do you want a remote location (24.24.24.24) to access your inside client (12.12.12.12)?
If you want to access remote location (24.24.24.24) from inside client (12.12.12.12) you dont need ACLs, if your default config is not flitered with inside_access_in
12-11-2007 02:31 AM
12.12.12.12 is the outside interface on the pix.
12-11-2007 03:05 AM
Would you please rephrase your situation by using "from" and "to"
btw you cant one-to-one map 1 IP to two hosts
static (inside,outside) 12.12.12.12 192.168.99.95 netmask 255.255.255.255
static (inside,outside) 12.12.12.12 192.168.99.94 netmask 255.255.255.255
And you cant map interface IP like that. I will start posting as I correctly understand the issue.
Regards
12-11-2007 03:14 AM
ok
I need to go from outside any to inside 192.168.99.95 eq www
I need to go from outside any to inside 192.168.99.94 eq 1433
and last from outside 24.24.24.24 to inside 192.168.99.95 eq 3389
thanks
12-11-2007 04:35 AM
Hi Ed
Here is what you need
static (inside,outside) tcp interface www 192.168.99.95 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.99.95 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.99.94 1433 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 1433
access-list outside_access_in permit tcp host 24.24.24.24 interface outside eq 3389
access-group outside_access_in in interface outside
Regards
12-11-2007 06:03 AM
Thank You, Thank You, Thank You, You are most Excelante'! - Ed
12-11-2007 06:06 AM
You are welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide