PIX 525: Restricting www access

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)

Hi,

I'm new to PIX configs and I have a question. I'd like to put on of my
companies intranet sites out on the internet, but I'd like only specific IP
addresses to be able to connect to it. Please help me confirm if these are
the right commands:

access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https

or please help in how do I accomplish what I'm trying to do. Thanks in
advance!

 

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)

In article <waCdnZm-lOReDLDeRVn-jw@comcast.com>,
Jon Doe <jdoe@comcast.net> wrote:
:I'm new to PIX configs and I have a question. I'd like to put on of my
:companies intranet sites out on the internet, but I'd like only specific IP
:addresses to be able to connect to it. Please help me confirm if these are
:the right commands:

:access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
:access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https

Those are plausible, provided that 65.25.x.x is a remote host
that you want to permit access from and 208.242.x.x is the -public-
address of the local host that you want to permit access to.

You will also need

access-group outside in interface outside

(the first 'outside' being the name of the ACL.)

You will also need a 'static' command to make the connection between
the public IP 208.242.x.x and the internal private IP of the appropriate
computer. Even if the public IP is the same as the private IP, you
will still need a 'static' command to tell the PIX that it is okay
to allow the packets through:

static (inside,outside) 208.242.x.x 192.168.242.15 netmask 255.255.255.255 0 0

or

static (inside,outside) 208.242.x.x 208.242.x.x netmask 255.255.255.255 0 0


{
To be a bit more complete:

- in some cases, there is one particular form of the 'nat' command that
might be useable instead of 'static'

- instead of static'ing the entire IP address, you could be more specific,
static (inside,outside) tcp 208.242.x.x www 192.168.242.15 www netmask 255.255.255.255 0 0

}
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter

 

[Guest]

Archived from groups: comp.dcom.sys.cisco,comp.security.firewalls (More info?)

Ok it worked. Thanks much!

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:dgk67u$nun$1@canopus.cc.umanitoba.ca...
> In article <waCdnZm-lOReDLDeRVn-jw@comcast.com>,
> Jon Doe <jdoe@comcast.net> wrote:
> :I'm new to PIX configs and I have a question. I'd like to put on of my
> :companies intranet sites out on the internet, but I'd like only specific
> IP
> :addresses to be able to connect to it. Please help me confirm if these
> are
> :the right commands:
>
> :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
> :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https
>
> Those are plausible, provided that 65.25.x.x is a remote host
> that you want to permit access from and 208.242.x.x is the -public-
> address of the local host that you want to permit access to.
>
> You will also need
>
> access-group outside in interface outside
>
> (the first 'outside' being the name of the ACL.)
>
> You will also need a 'static' command to make the connection between
> the public IP 208.242.x.x and the internal private IP of the appropriate
> computer. Even if the public IP is the same as the private IP, you
> will still need a 'static' command to tell the PIX that it is okay
> to allow the packets through:
>
> static (inside,outside) 208.242.x.x 192.168.242.15 netmask 255.255.255.255
> 0 0
>
> or
>
> static (inside,outside) 208.242.x.x 208.242.x.x netmask 255.255.255.255 0
> 0
>
>
> {
> To be a bit more complete:
>
> - in some cases, there is one particular form of the 'nat' command that
> might be useable instead of 'static'
>
> - instead of static'ing the entire IP address, you could be more specific,
> static (inside,outside) tcp 208.242.x.x www 192.168.242.15 www netmask
> 255.255.255.255 0 0
>
> }
> --
> "I will speculate that [...] applications [...] could actually see a
> performance boost for most users by going dual-core [...] because it
> is running the adware and spyware that [...] are otherwise slowing
> down the single CPU that user has today" -- Herb Sutter