Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow access to internal box

Hello,

I have a consultant that I need to allow access through our PIX. We have a box on our internal network that he needs to be able to configure. I was thinking of something like:

access-list app tcp host 192.178.16.6 host 201.126.22.54 eq 2301

access-group app in interface outside

static (inside,outside) tcp 201.126.22.54 2301 10.1.1.112 2301 netmask 255.255.255.255

consultants address==192.178.16.6

our external address==201.126.22.54

our internal address==10.1.1.112

port needed==2301

does this look about right? I'm not exactly sure how would he initially 'connect' to our network...I would think he'd use our external ip, correct?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Allow access to internal box

Looks good, here you have another template.

access-list acl_out permit tcp host SRC-Public host YourPublic-IP eq 2301

access-group acl_out in interface outside

static (inside,outside) tcp YourPublic-IP 2301 Local-IP 2301 netmask 255.255.255.255 0 0

You might need to execute a =

clear xlate

If you have modified or have changed the static. Please note that this will reset all session.

sincerely

Patrick

Re: Allow access to internal box

You could create a new VPN-Group (profile) for your consultants that have more restricted access.

Yes you need to share the:

1.) VPN Group name

2.) PSK password (Preshared Password)

3.) Consultants username and password

sincerely

Patrick

7 REPLIES
Silver

Re: Allow access to internal box

That should work.

Re: Allow access to internal box

Looks good, here you have another template.

access-list acl_out permit tcp host SRC-Public host YourPublic-IP eq 2301

access-group acl_out in interface outside

static (inside,outside) tcp YourPublic-IP 2301 Local-IP 2301 netmask 255.255.255.255 0 0

You might need to execute a =

clear xlate

If you have modified or have changed the static. Please note that this will reset all session.

sincerely

Patrick

New Member

Re: Allow access to internal box

Excellent!! Thanks a bunch Patrick!

New Member

Re: Allow access to internal box

Patrick,

One other question...I know this is machine to machine, port to port, but this doesn't prevent man-in-the-middle. What would you suggest for getting a secure connection outside of allowing vpn access? There are times we need to allow consultants in, but only want to give them direct access to the machine they are servicing...

Thanks,

Chris

Re: Allow access to internal box

You could configure IPSEC VPN with no split tunnel allowed.

Buy that way the Consultant cannot access the Internet on the same time. Which mitigate the risk of a MAN in the Middle attack.

In the access-list of the VPN Tunnel you just allow the TCP Port that want to allow him.

sincerely

Patrick

New Member

Re: Allow access to internal box

We do currently have a VPN setup on our PIX, but I'm not to familiar with vpn configuration. We have it setup with the vpngroup command and a RADIUS server on the internal network. To allow him vpn access, we would have to share that configuration info with him, correct? Is there another way to do this?

Re: Allow access to internal box

You could create a new VPN-Group (profile) for your consultants that have more restricted access.

Yes you need to share the:

1.) VPN Group name

2.) PSK password (Preshared Password)

3.) Consultants username and password

sincerely

Patrick

152
Views
0
Helpful
7
Replies