Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet)

Reply
Thread Tools

Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet)

 
 
kyoo
Guest
Posts: n/a
 
      04-06-2008
Try something like this.. this is from memory.. i may have some syntax
wrong.

name 192.168.50.200 FIOSTV-Inside
name x.x.x.x FIOSTV-Outside

static (inside,outside) host FIOSTV-Outside host FIOSTV-Inside netmask
255.255.255.255 0 0

access-list outside_access_in permit ip any host FIOSTV-Outside




--




##-----------------------------------------------#
Telecom Discussions a
http://www.telecom-gear.com
no-spam access to your favorite newsgroup -
comp.dcom.sys.cisco - 44641 messages and counting
##-----------------------------------------------##
 
Reply With Quote
 
 
 
 
Aceman
Guest
Posts: n/a
 
      04-06-2008
I know this may be a simple task, but I'm having a little trouble figuring
it out. I am no expert at PIX ACLs, but when I need something, I google it,
read up on it and adapt what I find to what I need and eventually getting it
working. I've already configured internal mail and web services to work from
the outside world. However I'm having a little difficulty wtih this one.

Scenario and requirements:
I have a Business FIOS 5 IP static line at home. I wanted to get the
double-play (TV and phone) on the line. They first said you can't do it with
a static line, but then I got someone else who said I can, but I need to use
up one of my IPs. No problem I said, but I added how will I configure that
through a PIX 506e? They said you can't and need their provided POS
Actiontec, which I still have in the closet. They said pick one of the IPs
and send ALL traffic to the Actiontec plugged into your current network.
Create a private network with the Actiontec and the TV boxes will plug into
that subnet. Cool, thought this should be a cinch. But having trouble
setting it up. Not sure how to allow ALL traffic from the one external IP to
the IP configured on the Actiontec's "external" interface.

I have a PIX 506e IOS version 6.3(5).

Names created (using x.x.x.x as one of my external IPs):
name 192.168.50.200 FIOSTV-Inside
name x.x.x.x FIOSTV-Outside
(Funny when I created the names, they didn't show up in the PDM. Did I do
something wrong?)

I'm thinking to try:
static (inside,outside) udp FIOSTV-Outside any FIOSTV-Inside any netmask
255.255.255.255 0 0
static (inside,outside) tcp FIOSTV-Outside any FIOSTV-Inside any netmask
255.255.255.255 0 0

access-list outside_access_in permit tcp any host FIOSTV-Outside eq any
access-list outside_access_in permit udp any host FIOSTV-Outside eq any

Or should I create a group for tcp-udp defining ports 1-65536 and allow it
by the group name? But I thought this would be over-doing it because a
simple 'any' would work?

If I forgot anything concerning or if you need me to elaborate further,
please advise.

I will be thankful for any suggestions anyone may provide.

Ace


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-06-2008
In article <yF9Kj.4405$qB1.3714@trnddc07>,
Aceman <(E-Mail Removed)> wrote:

>I have a Business FIOS 5 IP static line at home. I wanted to get the
>double-play (TV and phone) on the line. They first said you can't do it with
>a static line, but then I got someone else who said I can, but I need to use
>up one of my IPs. No problem I said, but I added how will I configure that
>through a PIX 506e?


>I have a PIX 506e IOS version 6.3(5).


>Names created (using x.x.x.x as one of my external IPs):
>name 192.168.50.200 FIOSTV-Inside
>name x.x.x.x FIOSTV-Outside


static (inside,outside) FIOSTV-Outside FIOSTV-Inside netmask 255.255.255.255

access-list outside_access_in permit ip any host FIOSTV-Outside


Except that to reduce risk, I would find out the IPs that will be sending
the traffic, and only permit those IPs instead of 'any'.
 
Reply With Quote
 
Aceman
Guest
Posts: n/a
 
      04-06-2008
In news:iPbKj.161542$pM4.33351@pd7urf1no,
Walter Roberson <(E-Mail Removed)> typed:
>
> static (inside,outside) FIOSTV-Outside FIOSTV-Inside netmask
> 255.255.255.255
>
> access-list outside_access_in permit ip any host FIOSTV-Outside
>
>
> Except that to reduce risk, I would find out the IPs that will be
> sending the traffic, and only permit those IPs instead of 'any'.


Thank you, Walter.

You mean the actual Verizon source IP?

In your access-list statement, shouldn't I specifically to allow all tcp/udp
traffic to the Actiontec's outside interface, which I named "FIOSTV-Inside"
(name 192.168.50.200 FIOSTV-Inside)?

Thanks again,
Ace






 
Reply With Quote
 
Aceman
Guest
Posts: n/a
 
      04-07-2008
In news:47f8f0e8$0$13109$(E-Mail Removed) om,
kyoo <(E-Mail Removed)> typed:
> Try something like this.. this is from memory.. i may have some syntax
> wrong.
>
> name 192.168.50.200 FIOSTV-Inside
> name x.x.x.x FIOSTV-Outside
>
> static (inside,outside) host FIOSTV-Outside host FIOSTV-Inside netmask
> 255.255.255.255 0 0
>
> access-list outside_access_in permit ip any host FIOSTV-Outside


This makes sense. Thanks, I will try it and let you know how it works out.
The scheduled FIOS TV/Phone install is this Thurs (4/10/0, so we'll see
how it works. I will test it with a laptop on the "inside" of the Actiontec
192.168.5.0 subnet and see what happens. I know they want to do some changes
in the Actiontec, which is fine and with this it shouldn't bother my
192.168.50.0 subnet.

Ace


 
Reply With Quote
 
Aceman
Guest
Posts: n/a
 
      04-07-2008
In news:iPbKj.161542$pM4.33351@pd7urf1no,
Walter Roberson <(E-Mail Removed)> typed:
>
>
> static (inside,outside) FIOSTV-Outside FIOSTV-Inside netmask
> 255.255.255.255
>
> access-list outside_access_in permit ip any host FIOSTV-Outside
>
> Except that to reduce risk, I would find out the IPs that will be
> sending the traffic, and only permit those IPs instead of 'any'.


Added the above two without error. I will find out what Verizon's source is
when they install it on Thursday.

Thanks!

Ace




 
Reply With Quote
 
Aceman
Guest
Posts: n/a
 
      04-07-2008
In news:47f8f0e8$0$13109$(E-Mail Removed) om,
kyoo <(E-Mail Removed)> typed:
> Try something like this.. this is from memory.. i may have some syntax
> wrong.
>
> name 192.168.50.200 FIOSTV-Inside
> name x.x.x.x FIOSTV-Outside
>
> static (inside,outside) host FIOSTV-Outside host FIOSTV-Inside netmask
> 255.255.255.255 0 0


I tried the above however it didn't like the syntax

> access-list outside_access_in permit ip any host FIOSTV-Outside


This was no problem. This was also the same statement Walter provided. I
added Walter's static entry and it took it.

Thanks!

Ace



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      04-07-2008
In article <CjdKj.872$4Q1.863@trnddc06>, Aceman <(E-Mail Removed)> wrote:
>In news:iPbKj.161542$pM4.33351@pd7urf1no,
>Walter Roberson <(E-Mail Removed)> typed:


>> static (inside,outside) FIOSTV-Outside FIOSTV-Inside netmask
>> 255.255.255.255


>> access-list outside_access_in permit ip any host FIOSTV-Outside


>> Except that to reduce risk, I would find out the IPs that will be
>> sending the traffic, and only permit those IPs instead of 'any'.


>You mean the actual Verizon source IP?


Yes. With "permit ip any", *anyone* on the 'Net would be allowed
to send most -anything- to your FIOSTV. And they will, they will.
For example, google search on the IP address "121.18.13.107".


>In your access-list statement, shouldn't I specifically to allow all
>tcp/udp
>traffic to the Actiontec's outside interface, which I named "FIOSTV-Inside"
>(name 192.168.50.200 FIOSTV-Inside)?


No, "ip" includes "tcp" and "udp".
 
Reply With Quote
 
Aceman
Guest
Posts: n/a
 
      04-07-2008
In news:4MiKj.162061$pM4.7003@pd7urf1no,
Walter Roberson <(E-Mail Removed)> typed:
> > You mean the actual Verizon source IP?

>
> Yes. With "permit ip any", *anyone* on the 'Net would be allowed
> to send most -anything- to your FIOSTV. And they will, they will.
> For example, google search on the IP address "121.18.13.107".
>


Hmm, those good 'ole Chinese attackers hard at work. I guess they are a
bunch of Datas that don't sleep. Maybe I should just block every Pacific Rim
subnet that exists since most attacks eminate from out there anyway. What's
disturbing trying to pinpoint an IP in China and many other Asian country is
most of them do not own computers at home but rather frequent cyber cafes
and do their dirty work from there. Makes it virtually untraceable to
identify the actual culprit. It's almost like tracking down who made an
obscene phone call from a busy corner bar in Philly or NY.

Basically I would use (please correct me if I'm wrong);
access-list 101 deny ip ADDRESS 0.0.0.255 any
So for the address you submitted, which Arin states is 121.0.0.0 -
121.255.255.255, I would enter:
access-list 101 deny ip 121.0.0.0 0.0.0.255 any

I remember finding a link in the past that has ACLs pre-created to block all
or most of China and Korean subnets, but I can't seem to find it. I thought
I bookmarked it. I found another link (http://www.unixhub.com/block.html)
with a list of Chinese and Korean subnets to block, but it seems somewhat
dated and I would have manually create an ACL for each entry and there's
many.

APNIC has a list of Asian Pacific ranges at:
http://www.apnic.net/db/ranges.html

I found this too but it seemse easier to just block the /8's in Apnic's
list.
http://www.okean.com/antispam/cisco/sinokoreaacl.txt

>
> > In your access-list statement, shouldn't I specifically to allow all
> > tcp/udp
> > traffic to the Actiontec's outside interface, which I named
> > "FIOSTV-Inside" (name 192.168.50.200 FIOSTV-Inside)?

>
> No, "ip" includes "tcp" and "udp".


Ok, thanks. I wasn't sure.

Ace


 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      04-07-2008
Aceman wrote:
> In news:4MiKj.162061$pM4.7003@pd7urf1no,
> Walter Roberson <(E-Mail Removed)> typed:
>>> You mean the actual Verizon source IP?

>> Yes. With "permit ip any", *anyone* on the 'Net would be allowed
>> to send most -anything- to your FIOSTV. And they will, they will.
>> For example, google search on the IP address "121.18.13.107".
>>

>
> Hmm, those good 'ole Chinese attackers hard at work. I guess they are a
> bunch of Datas that don't sleep. Maybe I should just block every Pacific Rim
> subnet that exists since most attacks eminate from out there anyway. What's
> disturbing trying to pinpoint an IP in China and many other Asian country is
> most of them do not own computers at home but rather frequent cyber cafes
> and do their dirty work from there. Makes it virtually untraceable to
> identify the actual culprit. It's almost like tracking down who made an
> obscene phone call from a busy corner bar in Philly or NY.
>
> Basically I would use (please correct me if I'm wrong);
> access-list 101 deny ip ADDRESS 0.0.0.255 any
> So for the address you submitted, which Arin states is 121.0.0.0 -
> 121.255.255.255, I would enter:
> access-list 101 deny ip 121.0.0.0 0.0.0.255 any


access-list 101 deny ip 121.0.0.0 0.255.255.255 any

would match the range from 121.0.0.0 - 121.255.255.255

It's a wildcard mask.
The "0" signifies the portion that must match exactly.
The "255" signifies the "don't care" portion.

>
> I remember finding a link in the past that has ACLs pre-created to block all
> or most of China and Korean subnets, but I can't seem to find it. I thought
> I bookmarked it. I found another link (http://www.unixhub.com/block.html)
> with a list of Chinese and Korean subnets to block, but it seems somewhat
> dated and I would have manually create an ACL for each entry and there's
> many.
>
> APNIC has a list of Asian Pacific ranges at:
> http://www.apnic.net/db/ranges.html
>
> I found this too but it seemse easier to just block the /8's in Apnic's
> list.
> http://www.okean.com/antispam/cisco/sinokoreaacl.txt
>
>>> In your access-list statement, shouldn't I specifically to allow all
>>> tcp/udp
>>> traffic to the Actiontec's outside interface, which I named
>>> "FIOSTV-Inside" (name 192.168.50.200 FIOSTV-Inside)?

>> No, "ip" includes "tcp" and "udp".

>
> Ok, thanks. I wasn't sure.
>
> Ace
>
>



--
Best Regards,
News Reader
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Add extra IPs to outside interface in 506E The Techie Cisco 4 04-20-2006 01:05 AM
outside initiated traffic to access internal network range through pix firewall with translation Wehay Cisco 3 03-20-2005 07:26 AM
PIX 502 and static public IPs on internal side Jens Meyer Cisco 3 11-09-2003 05:48 PM



Advertisments