Yes, you need to add one more conduit command in your configuration, say 200.0.0.0 is the external subnet you want to give the access right.
static (inside,outside) 207.0.0.2 192.168.10.25 netmask 255.255.255.255 0 0 conduit permit ip host 207.0.0.2 200.0.0.0 255.0.0.0 "static" command is used to map an internal IP to an external IP, and "conduit" is used to enable the outside host/network to access that external IP. You can find detail explaination of conduit here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/c.htm#xtocid5 Fei. -----Original Message----- From: Chuck Scott [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 4:58 PM To: [EMAIL PROTECTED]; Fei Yang Subject: RE: Access lists and PIX 5.1 IOS That did it. Thanks! Since you seem to be the man, <grin>, I have another quick question for you. If I want that same external subnet to have access to a specific IP on my internal subnet, (i.e.: 192.168.10.x), and not a DMZ, would I use this for the static command: static (inside,outside) 207.0.0.2 192.168.10.25 netmask 255.255.255.255 0 0 Where 207.0.0.2 is the public IP and 192.168.10.25 is the device on my internal subnet? Also, do I need to modify the conduit statement? Thanks again! >>> "Fei Yang" <[EMAIL PROTECTED]> 05/03/02 01:40PM >>> Your static and conduit commands make all outside hosts to be able to access TCP port 3001 on host 207.x.x.x. But your access list seems to deny outside hosts to access 207.x.x.x TCP 3001. I'm not sure which command that PIX will execute first, or which command will overtake the other one. But say if you want outside subnet 200.0.0.0/8 to access TCP3001 on your host 207.x.x.x, and block all others, you can use the static and conduit as follows: static (DMZ-WEB,outside) 207.x.x.x 192.168.x.x netmask 255.255.255.255 0 0 conduit permit tcp host 207.x.x.x eq 3001 200.0.0.0 255.0.0.0 And, erase all access list commands. Fei. -----Original Message----- From: Chuck Scott [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 4:20 PM To: [EMAIL PROTECTED] Subject: Access lists and PIX 5.1 IOS I have a PIX 515 running IOS 5.1. I need to block access to a specific port from the outside world and allow only a specified subnet access. Here is what I have so far: access-list 103 permit ip any any access-list 103 deny tcp any eq 3001 host 207.x.x.x access-group 103 in interface outside I was hoping this would block all access, (for testing purposes), but it did not. I am fairly new to the PIX but have done a lot of router work in the past so I am a bit stumped. There is a conduit statement in the config so I will include that in case that is a problem: conduit permit tcp host 207.x.x.x eq 3001 any And a static statement: static (DMZ-WEB,outside) 207.x.x.x 192.168.x.x netmask 255.255.255.255 0 0 Thanks in advance... Chuck Chuck Scott Windows Lead/WAN Engineer MedData Inc. [EMAIL PROTECTED] Office: (206) 812-5993 Fax: (206) 622-4349 Cel: (360) 440-8282 Help Desk: 800-454-6219 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
