PIX 525: Restricting www access

Discussion in 'Cisco' started by Jon Doe, Sep 18, 2005.

  1. Jon Doe

    Jon Doe Guest

    Hi,

    I'm new to PIX configs and I have a question. I'd like to put on of my
    companies intranet sites out on the internet, but I'd like only specific IP
    addresses to be able to connect to it. Please help me confirm if these are
    the right commands:

    access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
    access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https

    or please help in how do I accomplish what I'm trying to do. Thanks in
    advance!
     
    Jon Doe, Sep 18, 2005
    #1
    1. Advertising

  2. In article <>,
    Jon Doe <> wrote:
    :I'm new to PIX configs and I have a question. I'd like to put on of my
    :companies intranet sites out on the internet, but I'd like only specific IP
    :addresses to be able to connect to it. Please help me confirm if these are
    :the right commands:

    :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
    :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https

    Those are plausible, provided that 65.25.x.x is a remote host
    that you want to permit access from and 208.242.x.x is the -public-
    address of the local host that you want to permit access to.

    You will also need

    access-group outside in interface outside

    (the first 'outside' being the name of the ACL.)

    You will also need a 'static' command to make the connection between
    the public IP 208.242.x.x and the internal private IP of the appropriate
    computer. Even if the public IP is the same as the private IP, you
    will still need a 'static' command to tell the PIX that it is okay
    to allow the packets through:

    static (inside,outside) 208.242.x.x 192.168.242.15 netmask 255.255.255.255 0 0

    or

    static (inside,outside) 208.242.x.x 208.242.x.x netmask 255.255.255.255 0 0


    {
    To be a bit more complete:

    - in some cases, there is one particular form of the 'nat' command that
    might be useable instead of 'static'

    - instead of static'ing the entire IP address, you could be more specific,
    static (inside,outside) tcp 208.242.x.x www 192.168.242.15 www netmask 255.255.255.255 0 0

    }
    --
    "I will speculate that [...] applications [...] could actually see a
    performance boost for most users by going dual-core [...] because it
    is running the adware and spyware that [...] are otherwise slowing
    down the single CPU that user has today" -- Herb Sutter
     
    Walter Roberson, Sep 18, 2005
    #2
    1. Advertising

  3. Jon Doe

    Jon Doe Guest

    Ok it worked. Thanks much!

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:dgk67u$nun$...
    > In article <>,
    > Jon Doe <> wrote:
    > :I'm new to PIX configs and I have a question. I'd like to put on of my
    > :companies intranet sites out on the internet, but I'd like only specific
    > IP
    > :addresses to be able to connect to it. Please help me confirm if these
    > are
    > :the right commands:
    >
    > :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www
    > :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https
    >
    > Those are plausible, provided that 65.25.x.x is a remote host
    > that you want to permit access from and 208.242.x.x is the -public-
    > address of the local host that you want to permit access to.
    >
    > You will also need
    >
    > access-group outside in interface outside
    >
    > (the first 'outside' being the name of the ACL.)
    >
    > You will also need a 'static' command to make the connection between
    > the public IP 208.242.x.x and the internal private IP of the appropriate
    > computer. Even if the public IP is the same as the private IP, you
    > will still need a 'static' command to tell the PIX that it is okay
    > to allow the packets through:
    >
    > static (inside,outside) 208.242.x.x 192.168.242.15 netmask 255.255.255.255
    > 0 0
    >
    > or
    >
    > static (inside,outside) 208.242.x.x 208.242.x.x netmask 255.255.255.255 0
    > 0
    >
    >
    > {
    > To be a bit more complete:
    >
    > - in some cases, there is one particular form of the 'nat' command that
    > might be useable instead of 'static'
    >
    > - instead of static'ing the entire IP address, you could be more specific,
    > static (inside,outside) tcp 208.242.x.x www 192.168.242.15 www netmask
    > 255.255.255.255 0 0
    >
    > }
    > --
    > "I will speculate that [...] applications [...] could actually see a
    > performance boost for most users by going dual-core [...] because it
    > is running the adware and spyware that [...] are otherwise slowing
    > down the single CPU that user has today" -- Herb Sutter
     
    Jon Doe, Sep 18, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?YW5keSBi?=

    home network but restricting childrens access to the web

    =?Utf-8?B?YW5keSBi?=, Jul 20, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    660
    =?Utf-8?B?YW5keSBi?=
    Jul 26, 2005
  2. Frank Beider
    Replies:
    3
    Views:
    5,731
    Doug McIntyre
    Oct 20, 2003
  3. ka-50

    PIX 525 and two PIX-4FE-66=

    ka-50, Oct 19, 2004, in forum: Cisco
    Replies:
    1
    Views:
    565
    Walter Roberson
    Oct 19, 2004
  4. zacharydenison
    Replies:
    0
    Views:
    438
    zacharydenison
    Mar 17, 2006
  5. Replies:
    4
    Views:
    3,447
    networksecurity
    Mar 23, 2006
Loading...

Share This Page