You are asking for grief if you mix conduits and access lists - use one or the other
(and keep in mind that conduits are deprecated). In any case, it looks like your
access list is broken. You probably want something like..
access-list 103 deny tcp any host 207.x.x.x eq 3001
access-list 103 permit ip any any
..although that's a very open policy. Any host with a static will be naked in public -
a bit of a nightmare ;-)
Keep in mind that the PIX does not use wildcard masks like IOS and that, like IOS, the
PIX has an implicit deny all at the end of an ACL.
cheers,
-dale
-----Original Message-----
From: Chuck Scott [mailto:[EMAIL PROTECTED]]
Sent: Sat 4/05/2002 6:58
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc:
Subject: RE: Access lists and PIX 5.1 IOS
That did it. Thanks! Since you seem to be the man, <grin>, I have another
quick question for you. If I want that same external subnet to have access to a
specific IP on my internal subnet, (i.e.: 192.168.10.x), and not a DMZ, would I use
this for the static command:
static (inside,outside) 207.0.0.2 192.168.10.25 netmask 255.255.255.255 0 0
Where 207.0.0.2 is the public IP and 192.168.10.25 is the device on my
internal subnet? Also, do I need to modify the conduit statement?
Thanks again!
>>> "Fei Yang" <[EMAIL PROTECTED]> 05/03/02 01:40PM >>>
Your static and conduit commands make all outside hosts to be able to access
TCP port 3001 on host 207.x.x.x. But your access list seems to deny outside hosts to
access 207.x.x.x TCP 3001. I'm not sure which command that PIX will execute first, or
which command will overtake the other one. But say if you want outside subnet
200.0.0.0/8 to access TCP3001 on your host 207.x.x.x, and block all others, you can
use the static and conduit as follows:
static (DMZ-WEB,outside) 207.x.x.x 192.168.x.x netmask 255.255.255.255 0 0
conduit permit tcp host 207.x.x.x eq 3001 200.0.0.0 255.0.0.0
And, erase all access list commands.
Fei.
-----Original Message-----
From: Chuck Scott [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 03, 2002 4:20 PM
To: [EMAIL PROTECTED]
Subject: Access lists and PIX 5.1 IOS
I have a PIX 515 running IOS 5.1. I need to block access to a specific port
from the outside world and allow only a specified subnet access. Here is what I have
so far:
access-list 103 permit ip any any
access-list 103 deny tcp any eq 3001 host 207.x.x.x
access-group 103 in interface outside
I was hoping this would block all access, (for testing purposes), but it did
not. I am fairly new to the PIX but have done a lot of router work in the past so I am
a bit stumped. There is a conduit statement in the config so I will include that in
case that is a problem:
conduit permit tcp host 207.x.x.x eq 3001 any
And a static statement:
static (DMZ-WEB,outside) 207.x.x.x 192.168.x.x netmask 255.255.255.255 0 0
Thanks in advance...
Chuck
����jYl����x%��E���jYl�+-� �rw����q�.����������{.n�+���z�܅��z���
+u�\>W���(��m����+-� �rw��f��f��X��)ߣ�����[
