Opening an entire host behind a firewall.

Discussion in 'Cisco' started by AM, Nov 19, 2004.

  1. AM

    AM Guest

    Hi all,

    I have a PIX32 with IOS 4.2(4). It has 4 interface, inside(100), outside(0),
    DMZ_Ita(20), DMZ_Este(10). Between brackets there are security levels.

    Behind inside interface there is 192.168.31.0/24 LAN. I want to expone to
    the DMZ_Ita (a lower level zone rather than inside) the IP 192.168.31.208.
    Which kind of rule I must use to do that? I tried to use

    conduit permit tcp host 192.168.31.208 any 192.168.32.40 255.255.255.248
    conduit permit udp host 192.168.31.208 any 192.168.32.40 255.255.255.248

    but my PIX didn't accept them.
    I used a workaround like this

    conduit permit tcp host 192.168.31.208 range 1 65000 192.168.32.40
    255.255.255.248
    conduit permit udp host 192.168.31.208 range 1 65000 192.168.32.40
    255.255.255.248

    but this not the solution.

    Can you help me please?
    Thank you in advance,

    alex.
     
    AM, Nov 19, 2004
    #1
    1. Advertising

  2. In article <Txpnd.40896$>, AM <> wrote:
    :I have a PIX32 with IOS 4.2(4).

    That's pretty old!

    You are entitled to significant free software upgrades from that
    version, to pretty much whatever the latest version that will run on
    that old system.

    For more information on obtaining the free upgrades, google site:cisco.com
    for the keywords security advisories and look for these Cisco document IDs:

    13639 -- security problem affecting 4.2(4), free upgrade to 4.4(5)
    13636 -- security problem affecting 4.4(5), free upgrade to 4.4(7)
    13635 -- security problem affecting 4.4(7), free upgrade to 5.2(6)
    28947 -- security problem affecting 5.2(6), free upgrade to 5.2(9)

    I'm not sure you could fit 5.2 on your system, or that it would be supported.


    :Behind inside interface there is 192.168.31.0/24 LAN. I want to expone to
    :the DMZ_Ita (a lower level zone rather than inside) the IP 192.168.31.208.
    :Which kind of rule I must use to do that? I tried to use

    :conduit permit tcp host 192.168.31.208 any 192.168.32.40 255.255.255.248
    :conduit permit udp host 192.168.31.208 any 192.168.32.40 255.255.255.248

    Skip the tcp and udp specification and just tell it to send all IP:

    conduit permit ip host 192.168.31.208 192.168.32.40 255.255.255.248
    --
    Everyone has a "Good Cause" for which they are prepared to spam.
    -- Roberson's Law of the Internet
     
    Walter Roberson, Nov 19, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. neonKow

    Opening Tabs behind current tab

    neonKow, Dec 10, 2005, in forum: Firefox
    Replies:
    2
    Views:
    887
    Leonidas Jones
    Dec 10, 2005
  2. jonnah
    Replies:
    1
    Views:
    1,262
    mcaissie
    Apr 21, 2004
  3. Corbin O'Reilly
    Replies:
    2
    Views:
    3,228
    Corbin O'Reilly
    May 26, 2004
  4. JoelSeph
    Replies:
    9
    Views:
    6,759
    JoelSeph
    Jan 23, 2006
  5. Jojo the 90lb hottie

    Dane Cook: Great S.N.L. host or GREATEST S.N.L. host?

    Jojo the 90lb hottie, Feb 14, 2007, in forum: Digital Photography
    Replies:
    1
    Views:
    674
    Flash Bazbo
    Feb 14, 2007
Loading...

Share This Page