Re: Can the Pix do this? [7:32320]
in addition...do not forget your static lines (if traffic is inbound)... =) Craig Columbus wrote: The pix can easily do this. Use one line for each outside address that you want the inside client to access. You don't say what port you're contacting on the outside, but you should also limit contact by port. For example: access-list 101 permit tcp host 192.168.1.1 host 1.1.1.1 eq www access-list 101 permit tcp host 192.168.1.1 host 1.1.1.2 eq www access-list 101 permit tcp host 192.168.1.1 host 1.1.1.3 eq www access-list 101 deny ip host 192.168.1.1 any Hope this helps. However, I recommend that you have your pix config reviewed by a security guru to verify that you haven't accidentally opened your network up. Craig At 12:45 PM 1/17/2002 -0500, you wrote: >I have a Pix 515 running ver. 6.1. I have a host that will be made available >to the public for a web-enabled product demonstration. Parts of the product >are NOT located on my internal network, so host needs to cross the firewall >to function properly. Can I add a line to my access list that will allow >this particular host access ONLY to two or three different IP addresses, and >deny it access to the rest of the www? Could someone give me a little help >with the syntax? Would it be something like this: > >access-list 101 permit ip 255.255.0.0 255.255.255.0 > >Can I put all the addresses that I want to allow the host to access in one >line? Do I need 3 separate lines? Should I put a deny statement at the end? >Will this even work? Am I high? Just kidding, thanks in advance. > >Kris. Do You Yahoo!? Send FREE video emails in Yahoo! Mail. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32435&t=32320 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can the Pix do this? [7:32320]
The pix can easily do this. Use one line for each outside address that you want the inside client to access. You don't say what port you're contacting on the outside, but you should also limit contact by port. For example: access-list 101 permit tcp host 192.168.1.1 host 1.1.1.1 eq www access-list 101 permit tcp host 192.168.1.1 host 1.1.1.2 eq www access-list 101 permit tcp host 192.168.1.1 host 1.1.1.3 eq www access-list 101 deny ip host 192.168.1.1 any Hope this helps. However, I recommend that you have your pix config reviewed by a security guru to verify that you haven't accidentally opened your network up. Craig At 12:45 PM 1/17/2002 -0500, you wrote: >I have a Pix 515 running ver. 6.1. I have a host that will be made available >to the public for a web-enabled product demonstration. Parts of the product >are NOT located on my internal network, so host needs to cross the firewall >to function properly. Can I add a line to my access list that will allow >this particular host access ONLY to two or three different IP addresses, and >deny it access to the rest of the www? Could someone give me a little help >with the syntax? Would it be something like this: > >access-list 101 permit ip 255.255.0.0 255.255.255.0 > >Can I put all the addresses that I want to allow the host to access in one >line? Do I need 3 separate lines? Should I put a deny statement at the end? >Will this even work? Am I high? Just kidding, thanks in advance. > >Kris. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32332&t=32320 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can the Pix do this? [7:32320]
dependsyou have to check the apps people who wrote it... Some apps will not work no matter what you do with NAT (This is a VERY common problem with MS DCOM) so be weary. -Patrick >>> "Kris Waters" 01/17/02 12:45PM >>> I have a Pix 515 running ver. 6.1. I have a host that will be made available to the public for a web-enabled product demonstration. Parts of the product are NOT located on my internal network, so host needs to cross the firewall to function properly. Can I add a line to my access list that will allow this particular host access ONLY to two or three different IP addresses, and deny it access to the rest of the www? Could someone give me a little help with the syntax? Would it be something like this: access-list 101 permit ip 255.255.0.0 255.255.255.0 Can I put all the addresses that I want to allow the host to access in one line? Do I need 3 separate lines? Should I put a deny statement at the end? Will this even work? Am I high? Just kidding, thanks in advance. Kris. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32327&t=32320 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can the Pix do this? [7:32320]
Some of my message got filtered in the last one, the syntax was supposed to look like this: access-list 105 permit ip (outside address) 255.255.0.0 (demohost) 255.255.255.0 Thanks, Kris. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32322&t=32320 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]