Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

open specific port for outside public ip using pix from inside

hi, i have a request of providing access for any inside user in pix. So that they can access the public ip 79.125.x.x to the port 3128 or 8080 0r 443 or 80. Although in pix from inside to outside all are accessible.

Below is the configuration we have done for that marked in blue....

PIX Version 7.2(2)
!
hostname
enable password 54KV/iNGn6iowxMX encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.18.254 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.100.2 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 54KV/iNGn6iowxMX encrypted
ftp mode passive
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp host x.x.x.x host 192.168.17.9 eq citrix-ica
access-list 101 extended permit tcp host x.x.x.x host 192.168.17.9 eq 2598
access-list 101 extended permit tcp any host 192.168.17.9 eq 2598
access-list 101 extended permit tcp any host 192.168.17.9 eq citrix-ica

access-list 101 extended permit tcp any host 79.125.8.156 eq 3128
access-list 101 extended permit tcp any host 79.125.8.156 eq 8080

access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq www
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq https

access-list 101 extended permit tcp any interface outside eq 3128
access-list 101 extended permit tcp any interface outside eq https
access-list 101 extended permit tcp any interface outside eq 8080
access-list 101 extended permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.18.1 1
route inside 192.168.42.0 255.255.255.0 172.16.100.1 1
route inside 192.168.20.0 255.255.255.0 172.16.100.1 1
route inside 175.10.10.0 255.255.255.0 172.16.100.1 1
route inside 170.10.10.0 255.255.255.0 172.16.100.1 1
<--- More --->
route inside 192.168.17.0 255.255.255.0 172.16.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server host inside 192.168.17.6 community xxxx version 2c
no snmp-server location
no snmp-server contact
snmp-server community xxxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0c833b0c4d6d76f063dee0e1680499e2
: end

so pplease let me know whether this configuration is right or wrong ?? or i have missed something.....

Waiting for ur reply ASAP......

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: open specific port for outside public ip using pix from insi

It looks like 79.125.8.156 is some sort of web proxy server/web filtering server.

Are you trying to restrict all users, so that they can only access the proxy server, and nothing else?

If that is the case, then what you need is something like the following;

access-list 102 permit tcp any host 79.125.8.156 eq http
access-list 102 permit tcp any host 79.125.8.156 eq 443
access-list 102 permit tcp any host 79.125.8.156 eq 8080
access-list 102 permit tcp any host 79.125.8.156 eq 3128

access-group 102 in interface inside

With the above configuration, your inside host may have their browser to use the proxy server, and get to browse the internet after authentication.

They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.

The lines in blue are incorrect as mentioned by Andrew.

If I have misunderstood your intention, it will be best to provide source ip/protocol/port  and destination ip/protocol/port of the traffic you want to pass though the pix. And some clarification of the host 79.125.8.156 is supposed to do, and what the subnet 208.87.137.0 255.255.255.0 represent

6 REPLIES

Re: open specific port for outside public ip using pix from insi

By default ALL traffic from the inside to the outside is permitted.

The config:-

access-list 101 extended permit tcp any host 79.125.8.156 eq 3128 - does nothing
access-list 101 extended permit tcp any host 79.125.8.156 eq 8080 - does nothing

access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 3128- does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq 8080 - does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq www-  does nothing
access-list 101 extended permit tcp any 208.87.137.0 255.255.255.0 eq https - does nothing

access-list 101 extended permit tcp any interface outside eq 3128 - allows ANY device from the outside to connec to the pix outside interface using TCP port 3128
access-list 101 extended permit tcp any interface outside eq https - allows ANY device from the outside to connec to the pix outside interface using TCP port 443
access-list 101 extended permit tcp any interface outside eq 8080 - allows ANY device from the outside to connec to the pix outside interface using TCP port 8080
access-list 101 extended permit tcp any interface outside eq www - allows ANY device from the outside to connec to the pix outside interface using TCP port 80

This config is wrong - what are you trying to do?

Silver

Re: open specific port for outside public ip using pix from insi

It looks like 79.125.8.156 is some sort of web proxy server/web filtering server.

Are you trying to restrict all users, so that they can only access the proxy server, and nothing else?

If that is the case, then what you need is something like the following;

access-list 102 permit tcp any host 79.125.8.156 eq http
access-list 102 permit tcp any host 79.125.8.156 eq 443
access-list 102 permit tcp any host 79.125.8.156 eq 8080
access-list 102 permit tcp any host 79.125.8.156 eq 3128

access-group 102 in interface inside

With the above configuration, your inside host may have their browser to use the proxy server, and get to browse the internet after authentication.

They will not be able to browse the internet without going through the proxy server. Any other traffic will be denied.

The lines in blue are incorrect as mentioned by Andrew.

If I have misunderstood your intention, it will be best to provide source ip/protocol/port  and destination ip/protocol/port of the traffic you want to pass though the pix. And some clarification of the host 79.125.8.156 is supposed to do, and what the subnet 208.87.137.0 255.255.255.0 represent

New Member

Re: open specific port for outside public ip using pix from insi

Thanks Andrew and Edadios for your support and comments. Actually this configuration has been done by our client and send it to us for checking. Also Edadios, you are absolutely correct about our requirements.

Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255 for any inside user

Open TCP ports: 3128 and 8080 to the following IP’s and IP Ranges 194.116.198.0 - 194.116.198.255  and 79.125.8.156 for any inside user.

Thanks once again for your support.

New Member

Re: open specific port for outside public ip using pix from insi

hi,

For the follwing....

Open TCP ports: 80, 443, 3128,8080 to the following range 208.87.137.0 - 208.87.137.255 and 208.87.136.0 - 208.87.136.255

we applied the below commands....

access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 3128
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 8080
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 443
access-list 102 permit tcp any 208.87.136.0 255.255.255.0 eq 80

access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 3128
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 8080
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 443
access-list 102 permit tcp any 208.87.137.0 255.255.255.0 eq 80

Please rectify the same if it is wrong...........

waiting for ur help......

Silver

Re: open specific port for outside public ip using pix from insi

That is correct .

Regards,

New Member

Re: open specific port for outside public ip using pix from insi

Hi Edadios,

Thanks for your reply and guidance.

Regards,

Tuhin

1085
Views
0
Helpful
6
Replies