Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Computing > Cisco > ACL changes need expert review please

Reply
Thread Tools

ACL changes need expert review please

 
 
Rick
Guest
Posts: n/a
 
      03-07-2007
I'm looking for some expert help to verify my command entries please.

My current PIX501 configuration is as follows, minus parts I don't
think are needed to answer this.

----Parts omitted----
object-group service ABC tcp
port-object eq smtp
port-object eq 3389
port-object eq https
access-list 100 permit tcp any any object-group ABC
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
----Parts omitted----
icmp permit any outside
icmp permit any inside
----Parts omitted----
static (inside,outside) tcp interface https 192.168.2.2 https netmask
255.255.25
5.255 0 0
static (inside,outside) tcp interface 3389 192.168.2.2 3389 netmask
255.255.255.
255 0 0
static (inside,outside) tcp interface smtp 192.168.2.2 smtp netmask
255.255.255.
255 0 0
access-group 100 in interface outside
----Parts omitted----

I want to change the configuration so that smtp goes to a different
internal address and so only certain IP's can access server via 3389.
No change to https. I don't care if I keep the object-group (someone
else had helped me with that one a while back).

The following are the commands that I believe will need to be entered
in order to do these things. X.x.x.x designates the outside IP
addresses individually one each. 192.168.2.4 is the new address to
send SMTP traffic to.

Conf t
No port-object eq smtp
No port-object eq 3389
No port-object eq https
No object-group service abc tcp
No access-list 100 permit tcp any any object-group abc
No static (inside,outside) tcp interface smtp 192.168.2.2 smtp netmask
255.255.255.255 0 0
Access-list 100 permit tcp host x.x.x.x host 192.168.2.2 eq 3389
Access-list 100 permit tcp host x.x.x.x host 192.168.2.2 eq 3389
Access-list 100 permit tcp any any eq https
Access-list 100 permit tcp any any eq smtp
Static (inside,outside) tcp interface smtp 192.168.2.4 smtp netmask
255.255.255.255 0 0
Write mem

Do I have it right and in the right order? What am I missing or
written wrong?
Also, do I have a security risk with my current ICMP configurations?
What would you change there and why?

Thanks in advance
 
Reply With Quote
 
 
 
Reply

« Using Object-Groups in ACLs? | I need Help tracking down where packets are being dropped.. »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
Linked List Confusion I need some expert help Please Y2J C++ 5 08-19-2006 05:16 AM
DFI LANParty UT NF4 SLI-DR Expert Motherboard Review Silverstrand Front Page News 1 12-09-2005 05:23 AM
A Lexmark Expert, Please MayB Computer Support 14 05-17-2005 05:38 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57