List Info

Thread: Help me with 2 commands please?
Help me with 2 commands please?
user name
 2006-06-15 13:21:55 

  


  

    




  



    

            
All you *should* need (as you said) is a static nat and an access-list that 

permits the traffic through:



static (inside,outside) tcp <outside IP> <port to listen on> <inside IP> 

<port to listen on> netmask 255.255.255.255 0 0

access-list outside_inbound permit tcp any host <outside IP> eq <port&gt; (you 

may already have this in your ACL)



The first statement actually builds a translation in the PIX that tells it 

where to send traffic that comes in on that IP and Port.

The second statement is what allows the PIX to accept the traffic inbound in 

the first place, instead of dropping it without giving it a second thought.



For example, to permit port 80 traffic (world wide web) to a host inside my 

network at 192.168.1.10, use the following:



static (inside,outside) tcp 75.103.135.58 80 192.168.1.10 80 netmask 

255.255.255.255 0 0

access-list outside_inbound permit tcp any host 75.103.135.58 eq 80



Static statements are read like the following (in Layman's Terms):



static (contacting this network,from this network) <protocol used> <outside 

IP to listen on> <port to listen for> <address inside to send traffic to> 

<port to send traffic to> netmask 255.255.255.255 0 0



Access lists are read like the following (in Layman's Terms):

access-list outside_inbound permit <this protocol&gt; <from what source> <to 

what destination> eq <what port>



Hope this helps!

Aaron



----- Original Message ----- 

From: "opportunity4sale" <opportunity4saleyahoo.com>

To: <PIX_Firewallyahoogroups.com>;

Sent: Wednesday, June 14, 2006 11:27 PM

Subject: [PIX_Firewall] Help me with 2 commands please?



>I had a guy who helped me set up my PIX but now he has moved on and

> I need to add (I believe) a static & a conduit command to allow a

> user to tunnel thru the firewall to their desktop using OWA.  Can

> anyone help me?  Assume their station at OWA would be 1234.

>;

> My current firewall is set up as: (ip's changed for security sake)

>;

> interface ethernet0 auto

> interface ethernet1 auto

> nameif ethernet0 outside security0

> nameif ethernet1 inside security100

> hostname MyPix

>; fixup protocol ftp 21

> fixup protocol http 80

> fixup protocol h323 1720

> fixup protocol rsh 514

> fixup protocol sqlnet 1521

> fixup protocol sip 5060

> no fixup protocol smtp 25

> names

>; pager lines 15

> no logging timestamp

> no logging standby

&gt; no logging console

&gt; no logging monitor

&gt; no logging buffered

> no logging trap

> logging facility 20

> logging queue 512

> mtu outside 1500

> mtu inside 1500

> ip address outside 75.103.135.58 255.255.255.248

>; ip address inside 10.0.0.2 255.255.255.0

> ip audit info action alarm

>; ip audit attack action alarm

>; pdm history enable

&gt; arp timeout 14400

>; global (outside) 1 75.103.135.62 netmask 255.255.255.248

>; nat (inside) 1 0.0.0.0 0.0.0.0 0 0

> route outside 0.0.0.0 0.0.0.0 70.103.135.57 1

> static (inside,outside) 75.103.135.60 10.0.0.248 netmask

&gt; 255.255.255.255 0

> 0

>

&gt; static (inside,outside) 75.103.135.61 10.0.0.244 netmask

&gt; 255.255.255.255 0 0

> access-list outside_inbound permit icmp any any

> access-list outside_inbound permit tcp any host 75.103.135.60 eq www

> access-list outside_inbound permit tcp any host 75.103.135.60 eq 3389

> access-list outside_inbound permit tcp any host 75.103.135.60 eq smtp

> access-list outside_inbound permit tcp any host 75.103.135.61 eq www

> access-list outside_inbound permit tcp any host 75.103.135.61 eq 3389

> access-list outside_inbound permit tcp any  host 75.103.135.61 eq

> smtp

> access-list outside_inbound permit tcp any host 75.103.135.61 eq 443

> access-group outside_inbound in interface outside

&gt; timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

&gt; timeout rpc 0:10:00 h323 0:05:00

&gt; timeout uauth 0:05:00 absolute

> aaa-server TACACS+ protocol tacacs+

&gt; aaa-server RADIUS protocol radius

&gt; no snmp-server location

> no snmp-server contact

&gt; snmp-server community public

&gt; no snmp-server enable traps

>; telnet timeout 15

> terminal width 80

>

> Thanks a lot for any help!

>;

>

&gt;

>

&gt;

>

>

>

>

>

>

>; Yahoo! Groups Links

>;

>

&gt;

>

&gt;

>

>

> __________________________________________________________

> This email has been scanned by the MessageLabs Email Security System.

&gt; For more information please visit http://www.messagelabs.com/email

> __________________________________________________________

> 





    
  

    
    __._,_.___
    
     
    
    
  
.


  

__,_._,___



  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )