PIX access list

Dear All,

   I want to create an access list in my pix firewll ( 520) that will allow one internal machine to be able to connect to my server connected directly to the internet, currently the internal server has a static and can contact the external machine, I want to remove the static and create the accesslist to allow this connect, this will be my first ACL to allow connect from internal to external.

any help
LVL 2
ibmas4002Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
>> I want to create an access list in my pix firewll ( 520) that will allow one internal machine...

I am not sure on what you are looking for;

If you trying to allow connection to your Server from only a single host from outside world then this is how it should be done (Don't delete the static)

static (inside,outside) <PublicIPOfServer> <PrivateIP> netmask 255.255.255.255

The above line should already be there in your config and your access-list should look like;

access-list ToServer permit host <PublicExternalMachineIP> host <PublicIPOfServer>

access-list ToServer in interface outside

Cheers,
Rajesh
0
ibmas4002Author Commented:
I want the access list to be from inside to outside so I think it has to be in my inside inside interface?

Thanks
0
rsivanandanCommented:
Now I don't understand at all. If you are trying to make a U-turn at the PIX with one internal machine connecting to another internal machine which is natted to a public ip at the PIX, it is not possible for 6.x versions.

Can you describe more on what you are trying to accomplish?

Cheers,
Rajesh
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

ibmas4002Author Commented:
I need to allow computer 1 ( located in my internal network) to be able to connect to computer 2( which has a public IP) without giving a static in my pix, I need to do it using access list.


Thanks for help
0
rsivanandanCommented:
Ibmas4002,

  Why don't you mention it clearly? Is this computer 2 in the same internal network? If so, it is impossible with PIX 6.x versions and in 7.0 it is allowed.

Cheers,
Rajesh
0
Keith AlabasterEnterprise ArchitectCommented:
I think that this scenario has one internal LAN machine (comp1) talking to one external Internet-based machine (comp2).

This can be done by an access-list.

Along the line of

no static (inside,outside) ................
access-list allow_me_to_server permit tcp host internal_ip host external_IP eq port_whatever
access-list allow_me_to_server deny tcp host internal_ip host external_IP eq port_whatever
access-list allow_me_to_server permit tcp any any
access-list allow_me_to_server permit ip any any
etc
access-group allow_me_to_server in interface inside

Just bear in mind that by default, the PIX will let everything out by default. Once you apply an acl on the inside like this, it blocks EVERYTHING outgoing unless you explicitly add it to the permit statments. This includes mail, dns etc.....

Rajesh will confirm if I have made an error here but...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.