ACL changes need expert review please

Discussion in 'Cisco' started by Rick, Mar 7, 2007.

  1. Rick

    Rick Guest

    I'm looking for some expert help to verify my command entries please.

    My current PIX501 configuration is as follows, minus parts I don't
    think are needed to answer this.

    ----Parts omitted----
    object-group service ABC tcp
    port-object eq smtp
    port-object eq 3389
    port-object eq https
    access-list 100 permit tcp any any object-group ABC
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any unreachable
    ----Parts omitted----
    icmp permit any outside
    icmp permit any inside
    ----Parts omitted----
    static (inside,outside) tcp interface https 192.168.2.2 https netmask
    255.255.25
    5.255 0 0
    static (inside,outside) tcp interface 3389 192.168.2.2 3389 netmask
    255.255.255.
    255 0 0
    static (inside,outside) tcp interface smtp 192.168.2.2 smtp netmask
    255.255.255.
    255 0 0
    access-group 100 in interface outside
    ----Parts omitted----

    I want to change the configuration so that smtp goes to a different
    internal address and so only certain IP's can access server via 3389.
    No change to https. I don't care if I keep the object-group (someone
    else had helped me with that one a while back).

    The following are the commands that I believe will need to be entered
    in order to do these things. X.x.x.x designates the outside IP
    addresses individually one each. 192.168.2.4 is the new address to
    send SMTP traffic to.

    Conf t
    No port-object eq smtp
    No port-object eq 3389
    No port-object eq https
    No object-group service abc tcp
    No access-list 100 permit tcp any any object-group abc
    No static (inside,outside) tcp interface smtp 192.168.2.2 smtp netmask
    255.255.255.255 0 0
    Access-list 100 permit tcp host x.x.x.x host 192.168.2.2 eq 3389
    Access-list 100 permit tcp host x.x.x.x host 192.168.2.2 eq 3389
    Access-list 100 permit tcp any any eq https
    Access-list 100 permit tcp any any eq smtp
    Static (inside,outside) tcp interface smtp 192.168.2.4 smtp netmask
    255.255.255.255 0 0
    Write mem

    Do I have it right and in the right order? What am I missing or
    written wrong?
    Also, do I have a security risk with my current ICMP configurations?
    What would you change there and why?

    Thanks in advance
    Rick, Mar 7, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    DFI LANParty UT NF4 SLI-DR Expert Motherboard Review

    Silverstrand, Dec 8, 2005, in forum: Front Page News
    Replies:
    1
    Views:
    933
    unholy
    Dec 9, 2005
  2. Shad T
    Replies:
    0
    Views:
    578
    Shad T
    Jun 29, 2004
  3. MayB

    A Lexmark Expert, Please

    MayB, May 17, 2005, in forum: Computer Support
    Replies:
    14
    Views:
    635
    Paul B.
    May 17, 2005
  4. Vimokh
    Replies:
    3
    Views:
    5,609
    Vimokh
    Sep 6, 2006
  5. robert

    only for expert, please

    robert, Mar 4, 2007, in forum: UK VOIP
    Replies:
    2
    Views:
    630
Loading...

Share This Page