Solved

PIX Block Traffic infor static NAT doesn't work

Posted on 2009-06-30
2
464 Views
Last Modified: 2012-06-21
Hello

We have a pix, and in this pix we have the following config on interface "outside"

interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.240 standby 1.1.1.2

For routing traffic to the an address on the inside i created the following Static NAT
static (GPN,outside) 1.1.1.5 192.168.1.1 netmask 255.255.255.255

All works fine, i can now reach this server on all ports i wish, but i would like to make sure only RDP is allowed to this server, so i created an accesslist

access-list server_acl extended permit tcp any interface outside eq 3389
access-list server_acl extended deny ip any any

And applied this on the outside interface (also tried simmular to the inside interface)
access-group server_acl in interface outside

Now the server is not reachable anymore on any address

Any thoughts on this
0
Comment
Question by:Qore_Networks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 5

Accepted Solution

by:
yashinchalad earned 500 total points
ID: 24748159

Apply only this part
access-list server_acl extended permit tcp any host 1.1.1.5 eq 3389
access-group server_acl in interface outside
 
0
 

Author Closing Comment

by:Qore_Networks
ID: 31598367
I see, i was under the assumption that the interface should be guarded, but only the address was enough

Thanx
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question