This has probably been asked before, but I have'nt been able to find a definitive answer.
I have requirement to access a machine inside our network from outside via the internet.
We have a Cisco PIX 506 on 6.3(5) and PDM 3.0(4) on a line with a range of static IP addresses.
It sits on an outside IP address of x.y.z.42 with the router being x.y.z.41. The inside machine is a.b.c.202 and should respond to ports 4580 and 4599.
If I want to use x.y.z.43 for the outside access to a.b.c.202, what series of commands are required on the PIX?
The inside internet access and outside VPN all work perfectly at present.
Thanks
Trevor
CiscoHardware FirewallsSoftware Firewalls
Last Comment
Istvan Kalmar
8/22/2022 - Mon
Istvan Kalmar
Please show the wqhole config and we tell you the lines that you need!
Thanks for that.
I tried the command, then write mem and a reload. However still no joy.
The machine is a video monitoring device listening on ports 4580 and 4599. It works fine from inside the network, but we need an external alarm company to have access.
I can ping 217.36.99.43 from outside but cannot (say) telnet to it.
I must be missing something simple here.
Istvan Kalmar
only this source address allowed from outside:
access-list outside_access_in permit ip host 217.36.99.43 host 217.36.99.43
TrevorWatson
ASKER
Yes that would be what I am trying to achieve. With that address visible outside, routing through to 10.1.1.202 which is the machine I want to 'hit'. Preferrably on ports 4580 and 4599, but anything for the moment!
I get :
date time 106023: Deny tcp src outside:xxx.xxx.xxx.243/35804 dst inside:217.xxx.xxx.43/4580 by access-group "outside_access_in"
I know xxx.xxx.xxx.243 was my testing source ip address. Interestingly I also have the same message from an 'unknown' source ipaddress. Someone else following this thread?
Istvan Kalmar
but you entered x.x.x.43:
access-list outside_access_in permit ip host 217.36.99.43 host 217.36.99.43
you need :
access-list outside_access_in permit ip host x.x.x.243 host 217.36.99.43
Please remember I'm a real beginner on PIX's, but I think the light has come on.
The x.x.x.243 address was the machine I was using to 'probe' my firewall. In the future I will not know the address(es) of the machines that will access in.
Should the command read something like :
access-list outside_access_in permit ip host any host 217.36.99.43 eq 4580
and
access-list outside_access_in permit ip host any host 217.36.99.43 eq 4599
??
The PIX is functioning as required, although it appeared to hang up overnight and required a power off to reset it. Not surprising bearing in mind how much futzing around I've been doing!
Please refer this guide howto:
http://www.netcraftsmen.net/resources/archived-articles/369-cisco-pix-firewall-basics.html
http://www.linuxhomenetworking.com/cisco-hn/dsl-pix.htm