Skip to main content

Pix is confusing me now .

More
18 years 8 months ago #9620 by Xtreme
Pix is confusing me now . was created by Xtreme
Hi all ..
im getting confused with the access lists on pix .

i have natted (inside,outside) a global ip XYZ to a Private ip 123
...

now lets say that im running an FTP Server on the local machine on port 30 and i want Users from Outside to Be able to access it through PIX .

So i will Use access list .

Pix got 2 infs *assuming not using DMZ .

Inside(prvt)----[===]
(glbl)Outside

Q1 . Where shall i assign the access list ?( using grouping in infs)

Q2. in access list command it should look like this . but which one ?
host (local|global) to any
or
any to host (local|global) ?

access-list (interfacename) permit tcp any host IPADDY eq 30

which ip should i give the local or xternal ? and should it be ANY to IP
or
IP to ANY ?

i will be glad if some1 can help me understand this dunno what im doing is rite or wronge .
thnx .
More
18 years 8 months ago #9685 by sidd
Replied by sidd on topic Pix is confusing me now .
Hi,

Lets assume that u have an FTP server on the inside network. Its ip address is 192.168.1.25. You want that the users from the outside should be able to access it. For that u need to create two things
1) Access list for an interface
2) Static entry

So lets assumed that u have the public ip address as x.x.x.x (Note:- This x.x.x.x is not supposed to be used anywhere, this IP has to be a free ip address)

So the static entry would be as following for the internal FTP server

Static (inside,outside) x.x.x.x 192.168.1.25

This command would mapp the internal ip address directly to the external ip address, But people would still not be able to communicate on ur public ip address coz we have not created the access rule for that specific interface...

So the access rule would be like

access-list 101 permit tcp any host x.x.x.x eq ftp

Now this command say's that an access list by the name of 101 would permit communication on TCP protocol from any source to a specific host which is x.x.x.x on a specific port 21.

Now since the users would be coming from outside to inside so that access list has to be binded on the outside interface of the firewall and to achieve that we apply the access-group command

access-group 101 in interface outside.


Few things that u should keep handy with PIX firewall are

static (high,low) low high {Formula for the static command}

The inside interface of the pix would always be on 100 security and outside would be 0. The security on the DMZ would be always between 1-99....
What difference it makes? Well anything coming from a high security zone going to a low security zone is always allowed .... inside interface to outisde interface...

And anything from low security zone to high security zone is always dropped... outside to inside...

so inside to outside is always allowed and inside to dmz is always allowed but from outside to inside is always dropped and outside to dmz is also always dropped. Now from dmz to inside is also dropped .....


Incase u still have any doubts feel free to get back to me ..........

sidd
Time to create page: 0.136 seconds