Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with PIX configuration

I need to open ports on the firewall for the following:

Port 80 From IP - 172.16.1.20 (in DMZ) to 195.118.216.163 (internal

network)

Port 1433 From IP 172.16.1.20 (in DMZ) to 195.118.216.163 (Internal

Network)

Also need to label the ports ie: 1433 SQL and HTTP 80 and specify a name for the rule ie: "Gateway to Swordfish Claims communication" if possible so we can keep track of the rules

Do do I configure this on a PIX firewall

4 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Help with PIX configuration

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433

Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.

access-list dmz2internal extended remark Gateway to Swordfish Claims communication

Hope that helps.

Re: Help with PIX configuration

You configure this in fw.

You can try something like this.

create no nat static entry

static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0

create object group for tcp with description

object-group service TCP_GW_SWORFISH tcp

description Gateway to Sorfish

port-object eq 1433

port-object eq 80

then acl

access-list DMZ_access_in remark gateway_to_sorfish

access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH

access-group DMZ_access_in in interface DMZ

Re: Help with PIX configuration

Either way will work.

Re: Help with PIX configuration

Second octet in the second IP, 1189 won't work.

8 REPLIES

Re: Help with PIX configuration

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433

Port 80 will be renamed (in the config) to HTTP and 1422 to SQLNET. I don't think there is a way to change them. For marking what an ACL does, you can add a remark.

access-list dmz2internal extended remark Gateway to Swordfish Claims communication

Hope that helps.

Re: Help with PIX configuration

You configure this in fw.

You can try something like this.

create no nat static entry

static (inside,DMZ) 195.118.216.163 195.118.216.163 netmask 255.255.255.255 0 0

create object group for tcp with description

object-group service TCP_GW_SWORFISH tcp

description Gateway to Sorfish

port-object eq 1433

port-object eq 80

then acl

access-list DMZ_access_in remark gateway_to_sorfish

access-list DMZ_access_in permit tcp host 172.16.1.20 host 195.118.216.163 object-group TCP_GW_SWORFISH

access-group DMZ_access_in in interface DMZ

New Member

Re: Help with PIX configuration

Do I need to create an object group for this on pix.

Re: Help with PIX configuration

Either way will work.

New Member

Re: Help with PIX configuration

When I try to enter this acl it is giving me error invalid hostname.

access-list dmz2internal extended remark Gateway to Swordfish Claims communication

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 80

access-list dmz2internal extended permit tcp host 172.16.1.20 host 195.1189.216.163 eq 1433

Re: Help with PIX configuration

Second octet in the second IP, 1189 won't work.

New Member

Re: Help with PIX configuration

it worked thanks

Re: Help with PIX configuration

you do not have to create object group, it is a matter of preference, I like to have object groups segregated so I group them as such so that I know who I use the group for, fruthermore creating groups is easy as you can add more tcp services to them as support to individual acls per tcp udp ports.. and I do agree with Collin as well..

146
Views
0
Helpful
8
Replies
CreatePlease to create content