03-29-2004 11:07 AM - edited 03-02-2019 02:37 PM
Hi all,
I've been trying to get internet access to two devices behind the PIX at the main office. The device have static addresses of 192.168.0.20 and 192.168.0.5. These devices have built-in web interfaces that can be configured to use whichever port we like. I chose ports 8500 and 8510 respectively.
Here's what I have in the PIX for port 8500 (I'm doing one at a time):
access-list 102 permit tcp host 192.168.0.5 any eq 8500
static (inside,outside) tcp interface 8500 192.168.0.5 8500 netmask 255.255.255
.255 0 0
access-group 102 in interface outside
Is this correct? Is this too much? Any holes here? Thanks in advance the help
-Nick
03-29-2004 01:25 PM
You need to setup static translations and matching conduit statements to allow traffic through a pix.
i.e.
Port specific static translation statement:
static (inside,outside) tcp
All protocol static translation statement:
static (instide,outside)
Regardless they both need a corresponding conduit command to permit traffic.
conduit permit tcp host
Hope that helps.
-Lance
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_command_reference_list.html
03-29-2004 01:58 PM
Looks like you may have a problem with your access-list. The way I keep track of what address should be the source and which should be the destination is to imagine yourself inside the router. From that vantage point what is the source and destination of the packet coming towards your interface. Your access-list should be as follows:
access-list 102 permit tcp any inteface outside eq 8500
By the looks of your commands, your outside interface is being assigned via DHCP by your ISP. If this is not correct then I would recommend using the actual IP address rather than using the
03-29-2004 06:00 PM
Thanks guys I will give that a try. I thought that the conduit command was deprecated. I am concerned about "tcp any". Can that be exploited?
-nick
03-30-2004 09:53 AM
Well, it didn't work. I removed the old bits from the configuration and started anew. Again, please excuse me if I seem ignorant. I have read the manuals and searched the net. I feel that this should work, but it doesn't. I know I'm missing something:
access-list 102 permit tcp any interface outside eq 8500
static (inside,outside) tcp 64.8.234.247 8500 192.168.0.5 8500 netmask 255.255.
255.255 0 0
access-group 102 in interface outside
We have a static IP that is being nat'd. Please let me know if this is correct. If it is, then some thing is up with the device itself, but at least I can rule out the firewall.
03-30-2004 11:12 AM
Your right conduit command is deprecated but not until 6.4 so it should work.
You have not mentioned anything about your nat configuration. Try adding the following:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
This will configure the pix to translate any inside address to a global address depending on the best match. Which in your case should be the static command.
Check out:
Hope that helps
-Lance
03-30-2004 11:25 AM
Is your outside interface address 64.8.234.247. If it is not then the access-list is incorrect. Your access-list should read as follows:
access-list 102 permit tcp any 64.8.234.247 255.255.255.255 eq 8500
Now as far as the any command, this basically letting anyone on the internet have access to that port. If you only want specific users to access this port and you know their public ip addresses then instead of using the any command you could provide those addresses. This should tighten down your security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide