Question

Locked

Need assistance configuring ACL's on PIX 501

By ohhaither ·
PIX version 6.2

I need to allow the following ports:
TCP 1720
TCP & UDP 3230-3237

From 130.63.63.11 and 130.63.63.115 to an internal host with an address of 192.168.1.150. External/Public pix interface for the sake of this example is 50.50.50.50. So far I have

access-list video_in permit tcp host 130.63.63.11 host 50.50.50.50 eq 1720
access-list video_in permit tcp host 130.63.63.115 host 50.50.50.50 eq 1720
access-list video_in permit tcp host 130.63.63.11 host 50.50.50.50 range 3230 3237
access-list video_in permit tcp host 130.63.63.115 host 50.50.50.50 range 3230 3237
access-list video_in permit udp host 130.63.63.11 host 50.50.50.50 range 3230 3237
access-list video_in permit udp host 130.63.63.115 host 50.50.50.50 range 3230 3237
access-group video_in in interface outside


From what I've read this should allow the proper port ranges in. Assuming the above configuration is correct, I believe I need a static command to forward external port specific traffic but I can't seem to get the command correct. Can anyone shed some light on this matter for me?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

static command

by netwrk_admn In reply to Need assistance configuri ...

static (in,outside) 50.50.50.50 192.168.1.150 netmask 255.255.255.255 0 0

try that. I have a PIX 515 (v. 6.2) and I use those ACLs all the time.

Now, use this with caution because any other open traffic coming in on 50.50.50.50 will be routed to 192.168.1.150, from what I know.

Collapse -

thanks, but it didnt work

by ohhaither In reply to static command

Thanks for the response.

I did try that but unfortunately, like you said, that static command forwards all traffic to the internal .150 address which disables internet related communication from all other hosts on my internal network. Is there any way to configure a static command to be port specific?

I'm not up on all my terms but I believe I am running PAT (one public IP utilized by many internal hosts). Is there any way to make this work with my configuration?

Collapse -

Try something like this

by NetMan1958 In reply to thanks, but it didnt work

static (inside,outside) tcp interface 1720
192.168.1.150 1720 netmask 255.255.255.255

and so on

Collapse -

is there a way to specify a range?

by ohhaither In reply to Try something like this

When using the static command can i use a range command similar to the ACLs or do I have to create a static command for each specific udp and tcp port?

Collapse -

Maybe

by NetMan1958 In reply to is there a way to specify ...

If your PIX version supports object groups. See this article:
http://itprofesionals.blogspot.com/2009/08/cisco-pix-using-names-and-object-groups.html

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums