Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
4
Replies

Conduit/Access list for a range of IP's...??

a_abhijit
Level 1
Level 1

‎04-19-2003 06:24 AM - edited ‎02-20-2020 09:21 PM

WE have a PIX 515 6.1(1)

We know how we expose a internal http server to a specific IP...but how do we achieve the same for a range of IP's??

How can IP expose my http server to the specific range of IP addresses or a network address range for eg: 201.12.18.96 netmask 255.255.255.240 or something like x.x.x.0 255.255.255.0

Could you help me by explaining a sample PIX conduit or a access list command??

Thanks in Advance.

Labels:
0 Helpful
4 Replies 4

yizhar
Level 1
Level 1

‎04-19-2003 11:00 AM

HI.

One way you can do it is by setting up multiple private ip addresses on the web server, and then using static to map them to registered ip adresses at the pix.

You can use multiple static commands (one for each ip), or you can use static with a subnet, but for this to work, you'll have to plan the private ip addresses given to the web server so that they'll match.

This is not the only way - there are other possible solutions.

But what is the goal here - what are you trying to do?

You can play with DNS records , and "host headers" at the web server, you can host multiple domains on a single server using single ip address.

Yizhar

0 Helpful

a_abhijit
Level 1
Level 1
In response to yizhar

‎04-20-2003 04:57 AM

Hi,

Thanks for you reply.

I am hosting a webservice for my client for a temporary period. My aim is to only allow the range of addreses (x.x.x.96 255.255.255.224) which are his nat pool IP's to access the http port exposed at my end. This hhtp server is right now statically mapped to allow access to "any" by

static (inside,outside) tcp x.x.x.105 8080 192.168.5.116 8080 netmask 255.255.255.255

conduit permit tcp host x.x.x.105 eq 8080 any

We can very well take care of this problem by allowing only a particular host to access this http service but what could be done if you need to allow the access for the range of ip's in above case??

Using static command per IP is really a tedious thing to do if there are many IP's which needs to be take care, isn't there any better solution where we can only expose the http access only to a range of IP's or a network address.

Secondly, can you please elaborate more on th solution you propose??

Thanks Again

0 Helpful

yizhar
Level 1
Level 1
In response to a_abhijit

‎04-20-2003 11:43 AM

HI.

I misunderstood your question in the first place.

I thought that you were trying to host multiple web sites on your server with different ip addresses at your side. You should ignore my first reply....

All you have to do is very simple if I got the point now.

Just change this:

> conduit permit tcp host x.x.x.105 eq 8080 any

To this:

no conduit permit tcp host x.x.x.105 eq 8080 any

conduit permit tcp host x.x.x.105 eq 8080 x.x.x.96 255.255.255.224

"Allowing Untrusted Hosts Access to Hosts on Your Trusted Network ":

http://www.cisco.com/warp/public/707/28.html#topic7

Yizhar

0 Helpful

a_abhijit
Level 1
Level 1
In response to yizhar

‎04-20-2003 09:55 PM

Thanks a lot Yizhar....

But...to tell you the fact I had tried the similar couple of days back....obviously the rule logically says so....but I think it needed a "write mem" and a "Power Cycle" to PIX after it was written....;-)

Anyways, thanks a million...my problems seems to be solved.

Thanks Again!!!

0 Helpful
Customers Also Viewed These Support Documents