Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX configurations

I am configuring a VPN between my network and a customer who has a range of host that will be accessing my host. I am sadled with how to configure an access-list on my PIX to accept a range of host ip addresses from my partnet,say x.x.x.183 to x.x.x.212.

Somebody please help me with this ACL. I am using an extended ACL


Re: PIX configurations

*Firewall Forum*

You can use object-group and one line of ACL, or used multiple ACLs to include all addresses.

Apply/bind the ACL on your outside interface.

And for you to allow your partner to access your internal servers/resources, I assumed you already defined static map of internal to Public IP.

Configuration example:

1. Object-group listing partner's IP:

object-group network PARTNER-IP

network-object host

network-object host

network-object host

2. Access-list on Outside interface

access-list outside permit ip object-group PARTNER-IP host x.x.x.100 ---> permit all tcp/udp to single internal host

access-list outside permit tcp object-group PARTNER-IP host x.x.x.101 eq https --> allow only tcp/https

access-list outside permit udp object-group PARTNER-IP host eq domain --> allow only udp/Domain@dns

access-group outside in interface outside

*You can create ACL without 'extended' keyword as it will be added automatically by PIX.

3. Static NAT/map of internal server to public IP. Assuming internal IP is

static (inside,outside) x.x.x.100 netmask --> map internal to public IP x.x.x.100

static (inside,outside) x.x.x.101 netmask --> map internal to public IP x.x.x.101