Opening an entire host behind a firewall.

Discussion in 'Cisco' started by AM, Nov 19, 2004.

  1. AM

    AM Guest

    Hi all,

    I have a PIX32 with IOS 4.2(4). It has 4 interface, inside(100), outside(0),
    DMZ_Ita(20), DMZ_Este(10). Between brackets there are security levels.

    Behind inside interface there is 192.168.31.0/24 LAN. I want to expone to
    the DMZ_Ita (a lower level zone rather than inside) the IP 192.168.31.208.
    Which kind of rule I must use to do that? I tried to use

    conduit permit tcp host 192.168.31.208 any 192.168.32.40 255.255.255.248
    conduit permit udp host 192.168.31.208 any 192.168.32.40 255.255.255.248

    but my PIX didn't accept them.
    I used a workaround like this

    conduit permit tcp host 192.168.31.208 range 1 65000 192.168.32.40
    255.255.255.248
    conduit permit udp host 192.168.31.208 range 1 65000 192.168.32.40
    255.255.255.248

    but this not the solution.

    Can you help me please?
    Thank you in advance,

    alex.
     
    AM, Nov 19, 2004
    #1
    1. Advertisements

  2. :I have a PIX32 with IOS 4.2(4).

    That's pretty old!

    You are entitled to significant free software upgrades from that
    version, to pretty much whatever the latest version that will run on
    that old system.

    For more information on obtaining the free upgrades, google site:cisco.com
    for the keywords security advisories and look for these Cisco document IDs:

    13639 -- security problem affecting 4.2(4), free upgrade to 4.4(5)
    13636 -- security problem affecting 4.4(5), free upgrade to 4.4(7)
    13635 -- security problem affecting 4.4(7), free upgrade to 5.2(6)
    28947 -- security problem affecting 5.2(6), free upgrade to 5.2(9)

    I'm not sure you could fit 5.2 on your system, or that it would be supported.


    :Behind inside interface there is 192.168.31.0/24 LAN. I want to expone to
    :the DMZ_Ita (a lower level zone rather than inside) the IP 192.168.31.208.
    :Which kind of rule I must use to do that? I tried to use

    :conduit permit tcp host 192.168.31.208 any 192.168.32.40 255.255.255.248
    :conduit permit udp host 192.168.31.208 any 192.168.32.40 255.255.255.248

    Skip the tcp and udp specification and just tell it to send all IP:

    conduit permit ip host 192.168.31.208 192.168.32.40 255.255.255.248
     
    Walter Roberson, Nov 19, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.