Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > allow outside to access inside pix 515

Reply
Thread Tools

allow outside to access inside pix 515

 
 
gregg
Guest
Posts: n/a
 
      12-04-2003
I have a pix 515 I want to allow acces to a server inside from an external address

outside interface is set to 192.168.102.2
outside wan address is 192.168.117.0
inside server address is 192.168.107.40

how do i do this?

Here is what I have

nat (outside) 192.168.117.0 255.255.255.0
route outside 192.168.117.0 255.255.255.0 192.168.102.2
conduit permit tcp host 192.168.117.2 eq telnet host 192.168.107.40

Thanks in advance
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-04-2003
In article <(E-Mail Removed) >,
gregg <(E-Mail Removed)> wrote:
:I have a pix 515 I want to allow acces to a server inside from an external address

utside interface is set to 192.168.102.2
utside wan address is 192.168.117.0
:inside server address is 192.168.107.40

:how do i do this?

:Here is what I have

:nat (outside) 192.168.117.0 255.255.255.0
:route outside 192.168.117.0 255.255.255.0 192.168.102.2
:conduit permit tcp host 192.168.117.2 eq telnet host 192.168.107.40

Your conditions don't match what you say you have so far.
'conduit' uses destination and then source, but 192.168.117.2
[your destination in the conduit] is on the outside and
192.168.107.40 [your source in the conduit] is on the inside.

What do you mean when you say that the "outside wan address" is one
thing, but the outside interface is another?

*If* 192.168.117.0 is the public address that the server is known
as to the outside, and if 192.168.107.40 is the private address of
the server, not directly accessible to the outside, and if
192.168.117.0 is routed by your ISP and WAN router to 192.168.102.2,
and if 192.168.117.2 is the outside host that needs to be permitted access,
then you would configure like this:

static (inside, outside) 192.168.117.0 192.168.107.40 netmask 255.255.255.255 0 0
access-list out2in permit tcp host 192.168.117.2 host 192.168.117.0 eq telnet
access-group out2in in interface outside

You would, under these circumstances, likely also get rid of
that 'route' statement, as 192.168.117.0/24 would be covered by the
default route that you likely have.

With the setup above, the PIX -would- proxy-arp for the IP address
192.168.117.0 (which, incidently, clashes with the address you
have given in the route statement), but unless your WAN router
uses 'secondary' addresses to put both 192.168.102/24 and
192.168.117/24 onto the same segment, or the WAN router is
set to use 255.255.255.255 as the broadcast IP, the ARP broadcast might not
touch the PIX so the proxy-arp might not help any, so a WAN host
route of host 192.168.117.0 to 192.168.102.2 would be best.


I wouldn't expect the configuration I have given above to work in your
situation, as the information you've given is inconsistant. You
have probably tried to hide the real IP addresses involved, but in
doing so you have accidently made it impossible for us to answer
correctly.
--
vi -- think of it as practice for the ROGUE Olympics!
 
Reply With Quote
 
 
 
 
gregg
Guest
Posts: n/a
 
      12-05-2003
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<bqo36s$dsa$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> gregg <(E-Mail Removed)> wrote:
> :I have a pix 515 I want to allow acces to a server inside from an external address
>
> utside interface is set to 192.168.102.2
> utside wan address is 192.168.117.0
> :inside server address is 192.168.107.40
>
> :how do i do this?
>
> :Here is what I have
>
> :nat (outside) 192.168.117.0 255.255.255.0
> :route outside 192.168.117.0 255.255.255.0 192.168.102.2
> :conduit permit tcp host 192.168.117.2 eq telnet host 192.168.107.40
>
> Your conditions don't match what you say you have so far.
> 'conduit' uses destination and then source, but 192.168.117.2
> [your destination in the conduit] is on the outside and
> 192.168.107.40 [your source in the conduit] is on the inside.
>
> What do you mean when you say that the "outside wan address" is one
> thing, but the outside interface is another?
>
> *If* 192.168.117.0 is the public address that the server is known
> as to the outside, and if 192.168.107.40 is the private address of
> the server, not directly accessible to the outside, and if
> 192.168.117.0 is routed by your ISP and WAN router to 192.168.102.2,
> and if 192.168.117.2 is the outside host that needs to be permitted access,
> then you would configure like this:
>
> static (inside, outside) 192.168.117.0 192.168.107.40 netmask 255.255.255.255 0 0
> access-list out2in permit tcp host 192.168.117.2 host 192.168.117.0 eq telnet
> access-group out2in in interface outside
>
> You would, under these circumstances, likely also get rid of
> that 'route' statement, as 192.168.117.0/24 would be covered by the
> default route that you likely have.
>
> With the setup above, the PIX -would- proxy-arp for the IP address
> 192.168.117.0 (which, incidently, clashes with the address you
> have given in the route statement), but unless your WAN router
> uses 'secondary' addresses to put both 192.168.102/24 and
> 192.168.117/24 onto the same segment, or the WAN router is
> set to use 255.255.255.255 as the broadcast IP, the ARP broadcast might not
> touch the PIX so the proxy-arp might not help any, so a WAN host
> route of host 192.168.117.0 to 192.168.102.2 would be best.
>
>
> I wouldn't expect the configuration I have given above to work in your
> situation, as the information you've given is inconsistant. You
> have probably tried to hide the real IP addresses involved, but in
> doing so you have accidently made it impossible for us to answer
> correctly.



Sorry I'm new to cisco. Let me clarify.

192.168.117.0 is a private address range on the outside of our
firewall (another company)
192.168.102.1 is one of the outside interfaces of the pix
192.168.102.2 is a router outside the firewall that routes all .117
traffic to the correct place.

I need to know how to allow all traffic from the 192.168.117.0 subnet
to telnet to 192.168.107.?? (inside the firewall).
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-05-2003
In article <(E-Mail Removed) >,
gregg <(E-Mail Removed)> wrote:
:Sorry I'm new to cisco. Let me clarify.

:192.168.117.0 is a private address range on the outside of our
:firewall (another company)
:192.168.102.1 is one of the outside interfaces of the pix
:192.168.102.2 is a router outside the firewall that routes all .117
:traffic to the correct place.

:I need to know how to allow all traffic from the 192.168.117.0 subnet
:to telnet to 192.168.107.?? (inside the firewall).

Here are the commands that you asked for:

static (inside, outside) 192.168.107.0 192.168.107.0 netmask 255.255.255.0 0 0
access-list out2in permit tcp 192.168.117.0 255.255.255.0 192.168.107.0 255.255.255.0 eq telnet
access-group out2in in interface outside

I suspect this might not be what you really, though.

The configuration I have given above assumes that 192.168.107/24 is
is a public IP address range that you are using on both the inside
and the outside, and that your router is routing to the PIX
(needed because it is in a different subnet than the PIX outside addres.)
It also allows telnet access to *all* hosts in 192.168.107/24
[except .0 and .255 -- those are implicitly blocked by the 'static'],
including any router or infrastructure you might have in that subnet.
Your previous message spoke only of 192.168.107.40 needing to be
telnet'd to, but your clarification says 192.168.107.?? implying the
entire subnet.

If you want just 192.168.107.40 to be reachable, it would be

static (inside, outside) 192.168.107.40 192.168.107.40 netmask 255.255.255.255 0 0
access-list out2in permit tcp 192.168.117.0 255.255.255.0 host 192.168.107.40 eq telnet
access-group out2in in interface outside


Usually (but certainly not always), there would be a noticably
different setup with different assumptions. If we say that
the internal machine with -private- IP address 192.168.107.40 needs
to be accessible from the outside by way of the outside IP address
192.168.102.3, then the configuration would be as follows, with there
being no need to route 192.168.107/24 to the PIX at the WAN router:

static (inside, outside) 192.168.102.3 192.168.107.40 netmask 255.255.255.255 0 0
access-list out2in permit tcp 192.168.117.0 255.255.255.0 host 192.168.102.3 eq telnet
access-group out2in in interface outside


There is another notable case as well, in which the internal machine
192.168.107.40 has to be accessible using the outside IP address of the
PIX itself. The configuration for that would -almost- be:

static (inside, outside) tcp interface telnet 192.168.107.40 telnet netmask 255.255.255.255 0 0
access-list out2in permit tcp 192.168.117.0 255.255.255.0 interface eq telnet
access-group out2in in interface outside

I say -almost- because it happens that you cannot use this form for telnet
or tcp 1467: those two ports are reserved for access to the PIX itself.

--
millihamlet: the average coherency of prose created by a single monkey
typing randomly on a keyboard. Usenet postings may be rated in mHl.
-- Walter Roberson
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
PIX 515 - inside to outside needs access rules. Why? Bill Adams Cisco 4 09-25-2004 08:42 PM
PIX: how to allow 1 host from outside interface to access another host on the inside interface? jonnah Cisco 1 04-21-2004 02:26 PM



Advertisments