Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 515E - Static NAT Question

In my network, there is one server that is on an untrusted network. i have a firewall between that server and my network. I only want to allow that server to send data to a server on my network, and deny all other access.

is this option possible in the PIX firewall.

6 REPLIES

Re: Pix 515E - Static NAT Question

The scenario mentioned in this link deals to a similar kinda access inline with urs.

only difference is its allowing/permitting the smtp services alone.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

you mite want to look at these altered config lines ...

access-list input permit ip host outsideserverip host yourpublicip

access-group input in interface outside

static (inside,outside) yourpublicip yourinsideserverip netmask 255.255.255.255

outsideserverip --- remoteend server ip

yourpublicip --- the outside interface ip configured in ur outside interface

yourinsideserverip --- the orginal ip configured on your servers nic which is kept in inside lan behind the pix

regds

New Member

Re: Pix 515E - Static NAT Question

Let me explain little bit more. The untrusted Server IP is 172.16.2.22 and it is supposed to access the trusted Server 192.168.100.2 on particular tcp port 6789.but in access-list I cannot define this particular IP to access the inside server on a specific TCP port.

the access-list above defines IP access, which will include all TCP ports,

i want the access-list to allow access on a specific tcp port. is this possible with the PIX firewall.

Re: Pix 515E - Static NAT Question

hi

As mentioned in the link attached in my post you can define the access on particular port as

access-list input permit tcp any host 209.164.3.5 eq 6789

i hope that should work out for u..

regds

New Member

Re: Pix 515E - Static NAT Question

is it possible to replace the "any" with an IP address of the outside server

Re: Pix 515E - Static NAT Question

hi

its very much possible to define specific ip prefixing "host" keyword in front of that ip address..

access-list input permit tcp host youroutsideserverip host 209.164.3.5 eq 6789

regds

New Member

Re: Pix 515E - Static NAT Question

thanks..

i tried this command before, but then it didnot allow any sort of communication from the outside server to the internal server...

166
Views
0
Helpful
6
Replies
CreatePlease login to create content