Configure Pix 501 to allow traffic from range of external IP addresses

Discussion in 'Cisco' started by jacobe, Jul 12, 2009.

  1. jacobe

    jacobe

    Joined:
    Jul 12, 2009
    Messages:
    2
    Likes Received:
    0
    Hello,

    I have some knowledge of Cisco configurations but I could use some help configuring my Pix 501 to allow traffic from PCI-DSS security scanning servers.

    Following excerpt is from SecurityMetrics website:
    "It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances. Users of SecurityMetrics scanning services are encouraged to add rules to their firewalls and inform their ISPs or hosting providers that security assessment scans may originate from the scanning locations listed in the table below. Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments, which leads to better security."

    The IP range listed in the table:
    204.238.82.16-32
    The subnet mask from the same table:
    204.238.82.16/255.255.255.240

    So what is the best way to configure the Pix to allow this scanning traffic?
    Thus far I have found a post from Velocity to be the most promising --forums/t55402-allow-all-traffic-from-one-external-ip-inside.html (particularly the #4 entry) but this is only for one external IP and not a range. (Sorry, I can't enter links yet...)

    Thanks for your help.
     
    Last edited: Jul 13, 2009
    jacobe, Jul 12, 2009
    #1
    1. Advertisements

  2. jacobe

    jacobe

    Joined:
    Jul 12, 2009
    Messages:
    2
    Likes Received:
    0
    Nevermind, I found the solution on Cisco website.
    Use ACLs on PIX Versions 5.0.1 and Later

    From website:
    "Complete these steps for PIX software versions 5.0.1 and later using ACLs.

    1. Define a static address translation for the inside web server to an outside/global address.

    static (inside, outside) 175.1.1.254 10.200.1.254

    2. Define which hosts can connect on which ports to your web/FTP server.

    access-list 101 permit tcp any host 175.1.1.254 eq www
    access-list 101 permit tcp host 199.199.199.24 host 175.1.1.254 eq ftp

    3. Apply the ACL to the outside interface.

    access-group 101 in interface outside

    Note: Be careful when you implement these commands. If either the conduit permit ip any any or access-list 101 permit ip any any command is implemented, any host on the untrusted network can access any host on the trusted network using IP as long as there is an active translation."

    Where 175.1.1.254 is the external (public) ip of the pix, and 199.199.199.24 is the internet ip that you want to allow through the pix.

    In my case, these are the commands I entered (having already defined the access-list inbound_1 and using the range operator to allow for all open ports --no I do not have every port through 5900 open--):
    access-list inbound_1 permit tcp host 204.238.82.16 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.17 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.18 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.19 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.20 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.21 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.22 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.23 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.24 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.25 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.26 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.27 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.28 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.29 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.30 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.31 host xxx.xxx.xxx.xxx range 1 5900
    access-list inbound_1 permit tcp host 204.238.82.32 host xxx.xxx.xxx.xxx range 1 5900
     
    jacobe, Jul 13, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.