Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

permitting traffic through pix 501

I have a class c network. 192.168.1.0 /24

i have several web,ftp and mail server 192.168.1.100 - 180

I also have two dns server 192.168.1.35,192.168.1.45

the problem is that i need to allow traffic from the outside to these webservers each host is a different server. how do i do this without having to enter the different static and access-list commands

for example

static (inside,outside) 10.0.0.100 192.168.1.100 netmask 255.255.255.255

access-list in permit tcp any host 10.0.0.100 eq www

access-list in permit tcp any host 10.0.0.100 eq smtp

access-list in permit tcp any host 10.0.0.100 eq ftp

i do not want to do this for 255 address that would be crazy

please help

4 REPLIES
Cisco Employee

Re: permitting traffic through pix 501

You prety much do have to do it for all addresses, but it's easier of you can group them together. If you need to do it for all 255 addresses then it's easy, just do:

static (inside,outside) 10.0.0.0 192.168.1.0 netmask 255.255.255.0

access-list in permit tcp any host 10.0.0.0 eq www

access-list in permit tcp any host 10.0.0.0 eq smtp

access-list in permit tcp any host 10.0.0.0 eq ftp

If you only need to do it for 100-180 then it gets a little more difficult, as you have to group these together but with subnet masking it gets difficult.

Also I would recommend using an object group for the protocols in the access-list as follows:

objet-group service allowed_prots tcp

port-object eq ftp

port-object eq www

port-object eq smtp

access-list in permit tcp any host x.x.x.x object-group allowed_prots

This'll save two access-list lines per host. See http://www.cisco.com/warp/public/707/pix_obj_grp.html for details.

New Member

Re: permitting traffic through pix 501

thanks for the object gorup. but i still have to do for each address.

Silver

Re: permitting traffic through pix 501

use netblocks

192.168.10.100 255.255.255.252 (covers 192.168.10.100 through 103)

192.168.10.104 255.255.255.248 (covers 192.168.10.104 through 111)

192.168.10.112 255.255.255.240 (covers 192.168.10.112 through 127)

192.168.10.128 255.255.255.224 (covers 192.168.10.128 through 159)

192.168.10.160 255.255.255.240 (covers 192.168.10.160 through 175)

192.168.10.176 255.255.255.252 (covers 192.168.10.176 though 179)

192.168.10.180 255.255.255.255

Those statements will cover all of your ip address space for your servers

New Member

Re: permitting traffic through pix 501

thank you, but forgive me for not being so bright.

will the pix know to translate 10.0.0.100 to 192.168.10.100. ?

98
Views
6
Helpful
4
Replies
CreatePlease to create content