I have a PIX 515 running 5.3(1) with 4 DMZ ports. I have a machine off of one of the DMZ's that I want to allow only specific addresses to FTP to that machine from the Internet. Is that possible? How would I do that?
By using static & access-list & access group command.
Take the following example: 18.104.22.168 is the public address used to reach the server, in your case the FTP server. 192.168.3.3 is the IP address physically assigned to your FTP server, it's an private IP address.
a) Replace the word "any" by the host IP address or network IP address you want to give right to access.
In case of a single host you must write "host x.y.z.a" (x to a must be replace by the real IP address.
In case of a network: write the network IP address following by the netmask (For instance: 22.214.171.124 netmask 255.255.255.0 identify all host between 126.96.36.199 to 188.8.131.52)
b) The word "acl_out" is an alias used to identify the rule. You may used any alias you want. But you must have the same name for all the access-list or access-group command linked together.
c) You may repeat the access-list command as often as necessary to configure all the access needed. With the same name as indicated before.
Command #3: access-group acl_out in interface outside
a) This command link all the access-list configure with the "acl_out" alias name to the outside interface. You must figure out, access-list is apply to the outside interface because the request (your users) come from the outside but the the filering rules are apply to the incoming packets of the outside interface.
THANK YOU! I appreciate your help. When I put in the commands though, it wouldn't work when I had the word "host" in there. I just simply put the address that needed access and then the public address of the server on the dmz. Will that cause trouble? This is what shows when I run the command show access-list:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :