In article <waCdnZm-lOReDLDeRVn->,
Jon Doe <> wrote:
:I'm new to PIX configs and I have a question. I'd like to put on of my
:companies intranet sites out on the internet, but I'd like only specific IP
:addresses to be able to connect to it. Please help me confirm if these are
:the right commands:
:access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
:access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https
Those are plausible, provided that 65.25.x.x is a remote host
that you want to permit access from and 208.242.x.x is the -public-
address of the local host that you want to permit access to.
You will also need
access-group outside in interface outside
(the first 'outside' being the name of the ACL.)
You will also need a 'static' command to make the connection between
the public IP 208.242.x.x and the internal private IP of the appropriate
computer. Even if the public IP is the same as the private IP, you
will still need a 'static' command to tell the PIX that it is okay
to allow the packets through:
static (inside,outside) 208.242.x.x 192.168.242.15 netmask 255.255.255.255 0 0
or
static (inside,outside) 208.242.x.x 208.242.x.x netmask 255.255.255.255 0 0
{
To be a bit more complete:
- in some cases, there is one particular form of the 'nat' command that
might be useable instead of 'static'
- instead of static'ing the entire IP address, you could be more specific,
static (inside,outside) tcp 208.242.x.x www 192.168.242.15 www netmask 255.255.255.255 0 0
}
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter
|
Similar Threads
