taki1gostek
asked on
Cisco Pix506E Access-List to Allow TCP Traffic from Specific Host to Specific Host
Hi,
I am not very Cisco-Savvy and am just beginning to learn how to administer the Cisco Pix 506e so please bear with me.
I need to set up an access list rule to allow two specific external/outside IP addresses, i.e. 67.89.16.230 and 69.112.74.173 to initiate inbound requests on TCP/UDP ports 22 and 8657 to a public IP of 141.155.64.19 that will then be translated into a local address of 192.168.109.200.
Here's the applicable excerpts from the Pix config:
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 141.155.64.19 eq ssh
access-list outside_in permit udp any host 141.155.64.19 eq 22
access-list outside_in permit tcp any host 141.155.64.19 eq 8657
access-list inside_outbound_nat0_acl permit ip 192.168.109.0 255.255.255.0 192.168.123.192 255.255.255.192
static (inside,outside) 141.155.64.19 192.168.109.200 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
I am not very Cisco-Savvy and am just beginning to learn how to administer the Cisco Pix 506e so please bear with me.
I need to set up an access list rule to allow two specific external/outside IP addresses, i.e. 67.89.16.230 and 69.112.74.173 to initiate inbound requests on TCP/UDP ports 22 and 8657 to a public IP of 141.155.64.19 that will then be translated into a local address of 192.168.109.200.
Here's the applicable excerpts from the Pix config:
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 141.155.64.19 eq ssh
access-list outside_in permit udp any host 141.155.64.19 eq 22
access-list outside_in permit tcp any host 141.155.64.19 eq 8657
access-list inside_outbound_nat0_acl permit ip 192.168.109.0 255.255.255.0 192.168.123.192 255.255.255.192
static (inside,outside) 141.155.64.19 192.168.109.200 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
ASKER
Correction to the above. Please notice the CAPS
"Only two EXTERNAL/OUTSIDE IP addresses..... ....should be allowed to access this... ...host FROM THE OUTSIDE on TCP/UDP ports 22 and 8657."
"Only two EXTERNAL/OUTSIDE IP addresses..... ....should be allowed to access this... ...host FROM THE OUTSIDE on TCP/UDP ports 22 and 8657."
>access-list outside_in permit icmp any any
access-list outside_in permit tcp any host 141.155.64.19 eq ssh
access-list outside_in permit udp any host 141.155.64.19 eq 22
access-list outside_in permit tcp any host 141.155.64.19 eq 8657
no access-group outside_in in interface outside
no access-group outside_in
access-list outside_in permit icmp any any
access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq ssh
access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq 8657
access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq ssh
access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq 8657
access-group outside_in in interface outside
access-list outside_in permit tcp any host 141.155.64.19 eq ssh
access-list outside_in permit udp any host 141.155.64.19 eq 22
access-list outside_in permit tcp any host 141.155.64.19 eq 8657
no access-group outside_in in interface outside
no access-group outside_in
access-list outside_in permit icmp any any
access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq ssh
access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq 8657
access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq ssh
access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq 8657
access-group outside_in in interface outside
ASKER
Mind if I ask why you're using eq ssh if we need ports 22 & 8657 only?
ASKER
And what about my second post regarding PDM location 192.168.109.200?
Public host 141.155.64.19 is being translated into a local IP of 192.168.109.200 - isn't that some form of an overlap?
Public host 141.155.64.19 is being translated into a local IP of 192.168.109.200 - isn't that some form of an overlap?
ASKER
I'm sorry, the 2nd post wasn't clear.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Spanks again!
ASKER
I think this is o.k. for the results of the commands. The second one though is "iffy", i.e. no access-group outside_in came back with "Not enough arguments".
Result of firewall command: "no access-group outside_in in interface outside"
Result of firewall command: "no access-group outside_in"
Not enough arguments.
Usage: [no] access-group <access-list> in interface <if_name> [per-user-override]
Command failed
Result of firewall command: "access-list outside_in permit icmp any any "
ACE not added. Possible duplicate entry
Result of firewall command: "access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq ssh "
Result of firewall command: "access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq 8657 "
Result of firewall command: "access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq ssh "
Result of firewall command: "access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq 8657 "
Result of firewall command: "access-group outside_in in interface outside"
Result of firewall command: "no access-group outside_in in interface outside"
Result of firewall command: "no access-group outside_in"
Not enough arguments.
Usage: [no] access-group <access-list> in interface <if_name> [per-user-override]
Command failed
Result of firewall command: "access-list outside_in permit icmp any any "
ACE not added. Possible duplicate entry
Result of firewall command: "access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq ssh "
Result of firewall command: "access-list outside_in permit tcp host 67.89.16.230 host 141.155.64.19 eq 8657 "
Result of firewall command: "access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq ssh "
Result of firewall command: "access-list outside_in permit tcp host 69.112.74.173 host 141.155.64.19 eq 8657 "
Result of firewall command: "access-group outside_in in interface outside"
ASKER
I also noticed that there are pre-existing entries for PDM that refer to 192.168.109.200 as the internal IP. Will this affect PDM or the host? Will there be a conflict when I try to use PDM on .200 if the host is in use?
excerpt:
pdm location 192.168.122.0 255.255.255.0 outside
pdm location VPNCLIENTS 255.255.255.0 outside
pdm location 192.168.109.200 255.255.255.255 inside
pdm history enable