Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX Firewall Configuration

Gurus,

I have a question here. Lets say if there is one router (18.10.3.2) connected to 18.10.3.1 of PIX FW interface, and there is 172.1.1.0/24 network to come in to 18.10.3.10/24 (SAP Server) from the router, (routing : 0.0.0.0 0.0.0.0 18.10.3.1 ),

How to apply permit list on the PIX Inside interface?

Am i suppose to apply on 18.10.3.1(inside) interface ?

Thanks!

3 REPLIES

Re: PIX Firewall Configuration

Hi Cindy,

Where is the network 172.1.1.0/24. Is it outside your PIX.

If so, you need to apply the ACL on the outside interface of the pix, in the incoming direction.

access-group outside_acl in interface outside

In your acl outside_acl, you need to allow the segment 172.1.1.0/24 to access 18.10.3.10

access-list outside_acl permit ip 172.1.1.0 255.255.255.0 host 18.10.3.10

This acl will allow ip level access to the sap server from the segment 172.1.1.0/24.

Ideally you should be allowing only the relevant TCP port from 172.1.1.0/24 to your SAP server.

Revert back to us if you need further clarification.

Hope this helps. Kindly rate the post if it was helpful.

-VJ

Community Member

Re: PIX Firewall Configuration

Thanks Vijay,

The network (172.1.1.0/24) comes to the inside interface of 18.10.3.1 PIX Inside Interface, but to 18.10.3.10 (SAP Server) which resides on the INSIDE Interface VLAN.

So, I am not too if the traffic will flow in to firewall as the route is to go firewall first,before going to 18.10.3.10 SAP Server.

Thanks,

Re: PIX Firewall Configuration

Hi Cindy,

Kindly clarify about your setup.

Where is the segment 172.1.1.0/24 located physically.?

Are they residing behind your inside interface of the firewall and you want to protect access to SAP server from this segment.?

This is not a good design.

As the source and destination segments are in your inside network, You cannot make this traffic to pass through firewall. ( unless you are using vlan segmentation of zones in your firewall, which i suppose not the case in your setup)

What do you want to achive?

If you want firewall protection for the SAP server from 172.1.1.0/24 segment, then you need to redesign the way in which your firewall is deployed.

If you dont want firewall protection for the sap server from the 172.1.1.0/24 segment, then you need to check the way routing is configured from the segment 172.1.1.0/24 till the sap server and do necessary changes, so that traffic from 172.1.1.0/24 segment will reach the SAP server with out passing through the firewall.

Kindly revert back with more details on your setup/requirement to us, if the above explanation doesn't apply to your network/needs.

Hope this helps.

-VJ

190
Views
0
Helpful
3
Replies
CreatePlease to create content