Technically, the Pix doesn't work with destination / source. The syntax is:
usage: [no] conduit deny|permit <protocol> <g_ip> <g_mask>
[<operator> <port> [<port>]] <f_ip> <f_mask>
[<operator> <port> [<port>]]
conduit deny|permit icmp <g_ip> <g_mask>
<f_ip> <f_mask> [<icmp_type>]
Where g = global address and f = foreign address.
However, Rodgers, you are right, and I stand corrected. The proper line
should be:
conduit permit tcp host 128.200.111.150 eq 150 host 128.200.111.100
Sorry for the confusion, I need to remember not to post until I've had my
coffee.
K
-----
Kristopher B. Climie, CCNP, CCDP
> From: [EMAIL PROTECTED] ("Rodgers Moore")
> Organization: GroupStudy.com Discussion Groups
> Newsgroups: groupstudy.cisco
> Date: 12 Sep 2000 08:47:50 -0400
> Subject: Re: pix
>
> The PIX does it backwards to the rest of Cisco. In conduits, it's
> destination, source not the other way around.
>
> Rodgers Moore
>
> ""Kristopher B. Climie"" <[EMAIL PROTECTED]> wrote in message
> 8pl3cd$8cu$[EMAIL PROTECTED]">news:8pl3cd$8cu$[EMAIL PROTECTED]...
>> It looks to me that you conduit is wrong. Your line is "conduit permit
> tcp
>> host 128.200.111.100 eq 135 host 128.200.111.150 eq 135" In plain english
>> what this says is, "Let any traffic originating from 128.200.111.100 on
> TCP
>> port 135 go to server 128.200.111.150, to TCP port 135." The key to the
>> reason that it is not working is the first "eq 135". Personally, I have
> not
>> found a way to specify what the originating port is at the server.
> Usually
>> the source port is a randomly generated port number, and the important one
>> is the destination port. The line should read, "conduit permit tcp host
>> 128.200.111.100 host 128.200.111.150 eq 135"
>>
>> K
>>
>> -----
>>
>> Kristopher B. Climie, CCNP, CCPD
>>
>> <[EMAIL PROTECTED]> wrote in message
>> D528DF24AEBCD311A17700508B92CBBF101F47@NEWMAN">news:D528DF24AEBCD311A17700508B92CBBF101F47@NEWMAN...
>>> Hi,
>>>
>>> You need to add a static statement to the internal server but
> something
>>> that goes like that:
>>> Static (inside,outside/dmz-I didn't really understood from you mail
> where
>> it
>>> is located) 10.10.1.150 10.10.1.150.
>>> The conduit you already have.
>>> The static statement that I wrote actually say that IP address can be
>> reach
>>> but the appropriate conduit.
>>> This is the way I usually do it.
>>>
>>>
>>> GIL
>>> CCNA,CCDA
>>>
>>> -----Original Message-----
>>> From: SH Wesson [mailto:[EMAIL PROTECTED]]
>>> Sent: ??? ??? 11 ?????? 2000 13:14
>>> To: [EMAIL PROTECTED]
>>> Subject: pix
>>>
>>>
>>> I am using a Cisco PIX 520 with an inside interface and an outside
>>> interface. I have
>>> the following scenario:
>>>
>>> Internal server has an address of 10.10.1.150, the external server has
> an
>> ip
>>>
>>> address
>>> of 128.200.111.100. The external server is in the dmz zone. The
> internal
>>> server has
>>> been assigned a global address 0f 128.200.111.150 that maps to the
> inside
>>> server
>>> of ip address 10.10.1.150. I want the external server of
> 128.200.111.100
>> to
>>>
>>> be able to
>>> communicate with the inside server only through port 135.
>>>
>>> I assigned a static ip address to the inside host with the following
>>> command:
>>>
>>> static (inside,outside) 128.200.111.150 10.10.1.150 netmask
>> 255.255.255.255
>>> 0 0
>>>
>>>
>>> I assigned the permission for the external server to be able to access
> the
>>> inside
>>> server only via port 135 using the following command.
>>>
>>> conduit permit tcp host 128.200.111.100 eq 135 host 128.200.111.150 eq
> 135
>>>
>>>
>>> Is this the right way of doing it? If I'm doing it wrong, can someone
>> show
>>> me how to do this.
>>>
>>> Thanks.
>>>
> _________________________________________________________________________
>>> Get Your Private, Free E-mail from MSN Hotmail at
> http://www.hotmail.com.
>>>
>>> Share information about yourself, create your own public profile at
>>> http://profiles.msn.com.
>>>
>>> **NOTE: New CCNA/CCDA List has been formed. For more information go to
>>> http://www.groupstudy.com/list/Associates.html
>>> _________________________________
>>> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>>> FAQ, list archives, and subscription info: http://www.groupstudy.com
>>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>> This email was scanned using ESPG @ PubliCom Haifa.
>>>
>>> **NOTE: New CCNA/CCDA List has been formed. For more information go to
>>> http://www.groupstudy.com/list/Associates.html
>>> _________________________________
>>> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>>> FAQ, list archives, and subscription info: http://www.groupstudy.com
>>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>>
>>
>>
>> **NOTE: New CCNA/CCDA List has been formed. For more information go to
>> http://www.groupstudy.com/list/Associates.html
>> _________________________________
>> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>> FAQ, list archives, and subscription info: http://www.groupstudy.com
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>
>
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
