Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX access list

Posted on 2006-04-07
8
Medium Priority
?
240 Views
Last Modified: 2013-11-16
Dear All,

   I want to create an access list in my pix firewll ( 520) that will allow one internal machine to be able to connect to my server connected directly to the internet, currently the internal server has a static and can contact the external machine, I want to remove the static and create the accesslist to allow this connect, this will be my first ACL to allow connect from internal to external.

any help
0
Comment
Question by:ibmas4002
  • 3
  • 2
6 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16405933
>> I want to create an access list in my pix firewll ( 520) that will allow one internal machine...

I am not sure on what you are looking for;

If you trying to allow connection to your Server from only a single host from outside world then this is how it should be done (Don't delete the static)

static (inside,outside) <PublicIPOfServer> <PrivateIP> netmask 255.255.255.255

The above line should already be there in your config and your access-list should look like;

access-list ToServer permit host <PublicExternalMachineIP> host <PublicIPOfServer>

access-list ToServer in interface outside

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 16406069
I want the access list to be from inside to outside so I think it has to be in my inside inside interface?

Thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16407488
Now I don't understand at all. If you are trying to make a U-turn at the PIX with one internal machine connecting to another internal machine which is natted to a public ip at the PIX, it is not possible for 6.x versions.

Can you describe more on what you are trying to accomplish?

Cheers,
Rajesh
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 2

Author Comment

by:ibmas4002
ID: 16410105
I need to allow computer 1 ( located in my internal network) to be able to connect to computer 2( which has a public IP) without giving a static in my pix, I need to do it using access list.


Thanks for help
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 16410157
Ibmas4002,

  Why don't you mention it clearly? Is this computer 2 in the same internal network? If so, it is impossible with PIX 6.x versions and in 7.0 it is allowed.

Cheers,
Rajesh
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 16411270
I think that this scenario has one internal LAN machine (comp1) talking to one external Internet-based machine (comp2).

This can be done by an access-list.

Along the line of

no static (inside,outside) ................
access-list allow_me_to_server permit tcp host internal_ip host external_IP eq port_whatever
access-list allow_me_to_server deny tcp host internal_ip host external_IP eq port_whatever
access-list allow_me_to_server permit tcp any any
access-list allow_me_to_server permit ip any any
etc
access-group allow_me_to_server in interface inside

Just bear in mind that by default, the PIX will let everything out by default. Once you apply an acl on the inside like this, it blocks EVERYTHING outgoing unless you explicitly add it to the permit statments. This includes mail, dns etc.....

Rajesh will confirm if I have made an error here but...
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question