Hello. I've got a pretty basic small network set up with a PIX 501 as the router. My inside subnet is a typical 192.168.0.0/24 setup. I received four IP addresses from my ISP (which I will list if you like), and I currently have one bound to the outside interface. I'm doing typical PAT to pass the data from the inside network to the outside.
Now, what I want to get set up is this:
I have two printers on the internal network that I would like to have public IP's on them so the company's automated system can send the job's to a public IP from the remote office (I realize this is a horrible idea, but I'm working with some software company that refuses to do it any other way).
I'm just wondering if I can keep the internal IP's for the printers (as the people in the local office need to print to them, as well as remotely), and make some kind of NAT rule to do this that wont disturb my global NAT rule.
I've found a few examples on the net, but whenever I set it up, the external world doesn't seem to be able to find these public IP's that I just bind with NAT, and insert access rules to allow it (basically, I just want to allow anything to these public IP's from the outside due to the software companies requirements, again, a horrible idea, I know).
I was hoping that perhaps I could get some examples from the pros (you guys). Thanks in advance!
And then in your access-list on the outside interface you need to allow access to these printers. You will need to know the port number (lets assume TCP/515) and you can either lock it down to the remote IP addresses (if you know them) or allow any eg.
access-list outside_access_in permit tcp any host 188.8.131.52 eq 515
access-list outside_access_in permit tcp any host 184.108.40.206 eq 515
If you can lock down the source IP addresses rather than use "any" that at least would supply a modicum of security. You may also want to consider using a site-to-site VPN from the remote site for increased security.
The access-list would need to be applied to the outside interface eg.
access-group outside_access_in interface outside
Note also there is an implicit "deny ip any any" at the end of any access-list so if you need to allow other connections initiated from outside your pix to your internal network then you need to add these to your access-list.
I will go ahead and give this a shot. I have actually brought up the VPN idea to them multiple times, but they are very stubborn about their approach to this matter. The security issues are a major concern of mine, but sometimes there's just no getting through to some people.
Just as a side note, if I take of the "eq " off the end, will it just allow any port? I will probably note end up doing this, but I am just curious.
access-list outside_access_in permit ip any host 220.127.116.11
I can see you also appreciate the security issues by allowing this access. If vpn is not a possibility look to isolate the printers eg. private vlans or put them on a DMZ but this may cause problems if your internal users need them as well.
They may be stubborn but are they prepared to compensate you if your internal network is hacked ?
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.