allow outside to access inside pix 515

Discussion in 'Cisco' started by gregg, Dec 4, 2003.

  1. gregg

    gregg Guest

    I have a pix 515 I want to allow acces to a server inside from an external address

    outside interface is set to 192.168.102.2
    outside wan address is 192.168.117.0
    inside server address is 192.168.107.40

    how do i do this?

    Here is what I have

    nat (outside) 192.168.117.0 255.255.255.0
    route outside 192.168.117.0 255.255.255.0 192.168.102.2
    conduit permit tcp host 192.168.117.2 eq telnet host 192.168.107.40

    Thanks in advance
     
    gregg, Dec 4, 2003
    #1
    1. Advertising

  2. In article <>,
    gregg <> wrote:
    :I have a pix 515 I want to allow acces to a server inside from an external address

    :eek:utside interface is set to 192.168.102.2
    :eek:utside wan address is 192.168.117.0
    :inside server address is 192.168.107.40

    :how do i do this?

    :Here is what I have

    :nat (outside) 192.168.117.0 255.255.255.0
    :route outside 192.168.117.0 255.255.255.0 192.168.102.2
    :conduit permit tcp host 192.168.117.2 eq telnet host 192.168.107.40

    Your conditions don't match what you say you have so far.
    'conduit' uses destination and then source, but 192.168.117.2
    [your destination in the conduit] is on the outside and
    192.168.107.40 [your source in the conduit] is on the inside.

    What do you mean when you say that the "outside wan address" is one
    thing, but the outside interface is another?

    *If* 192.168.117.0 is the public address that the server is known
    as to the outside, and if 192.168.107.40 is the private address of
    the server, not directly accessible to the outside, and if
    192.168.117.0 is routed by your ISP and WAN router to 192.168.102.2,
    and if 192.168.117.2 is the outside host that needs to be permitted access,
    then you would configure like this:

    static (inside, outside) 192.168.117.0 192.168.107.40 netmask 255.255.255.255 0 0
    access-list out2in permit tcp host 192.168.117.2 host 192.168.117.0 eq telnet
    access-group out2in in interface outside

    You would, under these circumstances, likely also get rid of
    that 'route' statement, as 192.168.117.0/24 would be covered by the
    default route that you likely have.

    With the setup above, the PIX -would- proxy-arp for the IP address
    192.168.117.0 (which, incidently, clashes with the address you
    have given in the route statement), but unless your WAN router
    uses 'secondary' addresses to put both 192.168.102/24 and
    192.168.117/24 onto the same segment, or the WAN router is
    set to use 255.255.255.255 as the broadcast IP, the ARP broadcast might not
    touch the PIX so the proxy-arp might not help any, so a WAN host
    route of host 192.168.117.0 to 192.168.102.2 would be best.


    I wouldn't expect the configuration I have given above to work in your
    situation, as the information you've given is inconsistant. You
    have probably tried to hide the real IP addresses involved, but in
    doing so you have accidently made it impossible for us to answer
    correctly. :(
    --
    vi -- think of it as practice for the ROGUE Olympics!
     
    Walter Roberson, Dec 4, 2003
    #2
    1. Advertising

  3. gregg

    gregg Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bqo36s$dsa$>...
    > In article <>,
    > gregg <> wrote:
    > :I have a pix 515 I want to allow acces to a server inside from an external address
    >
    > :eek:utside interface is set to 192.168.102.2
    > :eek:utside wan address is 192.168.117.0
    > :inside server address is 192.168.107.40
    >
    > :how do i do this?
    >
    > :Here is what I have
    >
    > :nat (outside) 192.168.117.0 255.255.255.0
    > :route outside 192.168.117.0 255.255.255.0 192.168.102.2
    > :conduit permit tcp host 192.168.117.2 eq telnet host 192.168.107.40
    >
    > Your conditions don't match what you say you have so far.
    > 'conduit' uses destination and then source, but 192.168.117.2
    > [your destination in the conduit] is on the outside and
    > 192.168.107.40 [your source in the conduit] is on the inside.
    >
    > What do you mean when you say that the "outside wan address" is one
    > thing, but the outside interface is another?
    >
    > *If* 192.168.117.0 is the public address that the server is known
    > as to the outside, and if 192.168.107.40 is the private address of
    > the server, not directly accessible to the outside, and if
    > 192.168.117.0 is routed by your ISP and WAN router to 192.168.102.2,
    > and if 192.168.117.2 is the outside host that needs to be permitted access,
    > then you would configure like this:
    >
    > static (inside, outside) 192.168.117.0 192.168.107.40 netmask 255.255.255.255 0 0
    > access-list out2in permit tcp host 192.168.117.2 host 192.168.117.0 eq telnet
    > access-group out2in in interface outside
    >
    > You would, under these circumstances, likely also get rid of
    > that 'route' statement, as 192.168.117.0/24 would be covered by the
    > default route that you likely have.
    >
    > With the setup above, the PIX -would- proxy-arp for the IP address
    > 192.168.117.0 (which, incidently, clashes with the address you
    > have given in the route statement), but unless your WAN router
    > uses 'secondary' addresses to put both 192.168.102/24 and
    > 192.168.117/24 onto the same segment, or the WAN router is
    > set to use 255.255.255.255 as the broadcast IP, the ARP broadcast might not
    > touch the PIX so the proxy-arp might not help any, so a WAN host
    > route of host 192.168.117.0 to 192.168.102.2 would be best.
    >
    >
    > I wouldn't expect the configuration I have given above to work in your
    > situation, as the information you've given is inconsistant. You
    > have probably tried to hide the real IP addresses involved, but in
    > doing so you have accidently made it impossible for us to answer
    > correctly. :(



    Sorry I'm new to cisco. Let me clarify.

    192.168.117.0 is a private address range on the outside of our
    firewall (another company)
    192.168.102.1 is one of the outside interfaces of the pix
    192.168.102.2 is a router outside the firewall that routes all .117
    traffic to the correct place.

    I need to know how to allow all traffic from the 192.168.117.0 subnet
    to telnet to 192.168.107.?? (inside the firewall).
     
    gregg, Dec 5, 2003
    #3
  4. In article <>,
    gregg <> wrote:
    :Sorry I'm new to cisco. Let me clarify.

    :192.168.117.0 is a private address range on the outside of our
    :firewall (another company)
    :192.168.102.1 is one of the outside interfaces of the pix
    :192.168.102.2 is a router outside the firewall that routes all .117
    :traffic to the correct place.

    :I need to know how to allow all traffic from the 192.168.117.0 subnet
    :to telnet to 192.168.107.?? (inside the firewall).

    Here are the commands that you asked for:

    static (inside, outside) 192.168.107.0 192.168.107.0 netmask 255.255.255.0 0 0
    access-list out2in permit tcp 192.168.117.0 255.255.255.0 192.168.107.0 255.255.255.0 eq telnet
    access-group out2in in interface outside

    I suspect this might not be what you really, though.

    The configuration I have given above assumes that 192.168.107/24 is
    is a public IP address range that you are using on both the inside
    and the outside, and that your router is routing to the PIX
    (needed because it is in a different subnet than the PIX outside addres.)
    It also allows telnet access to *all* hosts in 192.168.107/24
    [except .0 and .255 -- those are implicitly blocked by the 'static'],
    including any router or infrastructure you might have in that subnet.
    Your previous message spoke only of 192.168.107.40 needing to be
    telnet'd to, but your clarification says 192.168.107.?? implying the
    entire subnet.

    If you want just 192.168.107.40 to be reachable, it would be

    static (inside, outside) 192.168.107.40 192.168.107.40 netmask 255.255.255.255 0 0
    access-list out2in permit tcp 192.168.117.0 255.255.255.0 host 192.168.107.40 eq telnet
    access-group out2in in interface outside


    Usually (but certainly not always), there would be a noticably
    different setup with different assumptions. If we say that
    the internal machine with -private- IP address 192.168.107.40 needs
    to be accessible from the outside by way of the outside IP address
    192.168.102.3, then the configuration would be as follows, with there
    being no need to route 192.168.107/24 to the PIX at the WAN router:

    static (inside, outside) 192.168.102.3 192.168.107.40 netmask 255.255.255.255 0 0
    access-list out2in permit tcp 192.168.117.0 255.255.255.0 host 192.168.102.3 eq telnet
    access-group out2in in interface outside


    There is another notable case as well, in which the internal machine
    192.168.107.40 has to be accessible using the outside IP address of the
    PIX itself. The configuration for that would -almost- be:

    static (inside, outside) tcp interface telnet 192.168.107.40 telnet netmask 255.255.255.255 0 0
    access-list out2in permit tcp 192.168.117.0 255.255.255.0 interface eq telnet
    access-group out2in in interface outside

    I say -almost- because it happens that you cannot use this form for telnet
    or tcp 1467: those two ports are reserved for access to the PIX itself.

    --
    millihamlet: the average coherency of prose created by a single monkey
    typing randomly on a keyboard. Usenet postings may be rated in mHl.
    -- Walter Roberson
     
    Walter Roberson, Dec 5, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guido Bakker

    PIX 515 Inside -> Outside

    Guido Bakker, Oct 30, 2003, in forum: Cisco
    Replies:
    9
    Views:
    751
    Guido Bakker
    Oct 31, 2003
  2. jonnah
    Replies:
    1
    Views:
    1,348
    mcaissie
    Apr 21, 2004
  3. Bill Adams
    Replies:
    4
    Views:
    4,676
    Martin Bilgrav
    Sep 25, 2004
  4. Jack
    Replies:
    0
    Views:
    739
  5. kyoo
    Replies:
    22
    Views:
    2,141
    Aceman
    Apr 12, 2008
Loading...

Share This Page