Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX configurations

I am configuring a VPN between my network and a customer who has a range of host that will be accessing my host. I am sadled with how to configure an access-list on my PIX to accept a range of host ip addresses from my partnet,say x.x.x.183 to x.x.x.212.

Somebody please help me with this ACL. I am using an extended ACL

1 REPLY

Re: PIX configurations

*Firewall Forum*

You can use object-group and one line of ACL, or used multiple ACLs to include all addresses.

Apply/bind the ACL on your outside interface.

And for you to allow your partner to access your internal servers/resources, I assumed you already defined static map of internal to Public IP.

Configuration example:

1. Object-group listing partner's IP:

object-group network PARTNER-IP

network-object host 100.100.100.183

network-object host 100.100.100.184

network-object host 100.100.100.212

2. Access-list on Outside interface

access-list outside permit ip object-group PARTNER-IP host x.x.x.100 ---> permit all tcp/udp to single internal host

access-list outside permit tcp object-group PARTNER-IP host x.x.x.101 eq https --> allow only tcp/https

access-list outside permit udp object-group PARTNER-IP host 1.1.1.101 eq domain --> allow only udp/Domain@dns

access-group outside in interface outside

*You can create ACL without 'extended' keyword as it will be added automatically by PIX.

3. Static NAT/map of internal server to public IP. Assuming internal IP is 10.1.1.40

static (inside,outside) x.x.x.100 10.1.1.40 netmask 255.255.255.255 --> map internal 10.1.1.40 to public IP x.x.x.100

static (inside,outside) x.x.x.101 10.1.1.41 netmask 255.255.255.255 --> map internal 10.1.1.40 to public IP x.x.x.101

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

HTH

AK

96
Views
0
Helpful
1
Replies