12-25-2011 08:57 PM - edited 03-11-2019 03:06 PM
I need to provide access to certain machine ips(source) to access other ips(destination) of different classess for the ports mentioned 22, 21, 80 , 3389, 3000, 443,8080, 8443 , 8000-65535 in my corporate firewall. Can you please give me the commands to be executed ?
Solved! Go to Solution.
12-26-2011 01:40 AM
Hi Ravi,
Lets assume your inside interface name is " inside" and outside interface name is " outside ".
Here you need to permit traffic from your destination IPs to your source IPs also open these ports for that communication.
object-group service EXTERNAL_TO_INTERNAL tcp
description EXTERNAL TO INTERNAL
port-object eq 22
port-object eq 21
port-object eq 3389
port-object eq 3000
port-object eq 8443
port-object range 8000 65535
2. Create a object group for the destination IPs
object-group network DESTINATION_PUBLIC_IPS
network-object 79.105.0.0 255.255.192.0
network-object 214.182.224.0 255.255.240.0
network-object 204.236.128.0 255.255.192.0
network-object 107.12.0.0 255.255.0.0
3. Create ACL
access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.26.72 object-group EXTERNAL_TO_INTERNAL
access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.31.82 object-group EXTERNAL_TO_INTERNAL
4. Bind to outside interface
access-group in interface outside
i think it will work. Please try it and rate this post if it is helpful.
Thanks
Vipin
12-26-2011 12:01 AM
You need add acl to allow these ports .Frist of all i would like to know source and destination IP. Its better you post your configuration I will write ACLs for you you can simply copy and paste in your firewall.
Thanks
Ajay
12-26-2011 12:57 AM
source ips:: 172.19.26.72 (dynamic) and 172.19.31.82
destination ips:: 79.105.0.0/18 (79.105.0.0 - 79.105.63.255) [EU]
214.182.224.0/20 (214.182.224.0 - 214.182.239.255) [US]
204.236.128.0/18 (204.236.128.0 - 204.236.191.255)
107.12.0.0 - 107.12.199.255
ports::22, 21,3389, 3000, 8443 , 8000-65535
12-26-2011 01:04 AM
I am sure you will be having access-list applied to interfaces. If these are fixed internet Ips better you create object group.
Here is the sample configuration.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
12-26-2011 01:40 AM
Hi Ravi,
Lets assume your inside interface name is " inside" and outside interface name is " outside ".
Here you need to permit traffic from your destination IPs to your source IPs also open these ports for that communication.
object-group service EXTERNAL_TO_INTERNAL tcp
description EXTERNAL TO INTERNAL
port-object eq 22
port-object eq 21
port-object eq 3389
port-object eq 3000
port-object eq 8443
port-object range 8000 65535
2. Create a object group for the destination IPs
object-group network DESTINATION_PUBLIC_IPS
network-object 79.105.0.0 255.255.192.0
network-object 214.182.224.0 255.255.240.0
network-object 204.236.128.0 255.255.192.0
network-object 107.12.0.0 255.255.0.0
3. Create ACL
access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.26.72 object-group EXTERNAL_TO_INTERNAL
access-list out-in permit tcp object-group DESTINATION_PUBLIC_IPS host 172.19.31.82 object-group EXTERNAL_TO_INTERNAL
4. Bind to outside interface
access-group in interface outside
i think it will work. Please try it and rate this post if it is helpful.
Thanks
Vipin
12-26-2011 09:51 AM
Hello Ravi,
Adding to this 2 great answers Ajay and Vipin have provided, I would like to know if the connection is being make from the inside to the outside or from the outside to the inside.
I can see that you want to allow the communication from the private sector to the public sector so I guess would be from inside to outside if this is the case and you do not have any access-list on your inside interface you do not need to create one because all connections are allowed when you go from a higher security level to a lower security level.
Please let me know if this is what you are looking for.
Do please rate helpful posts.
Julio!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide