Cisco PIX config statement
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by bruce on September 8, 2008, 11:24 am
Please log in for more thread options Hi, I needed help in understanding the following in the Cisco PIX config , I have network Object-Groups named SMTP_SERVERS,EXCHANGE_SERVERS And a Service object-group named SMTP My Query is then why should I be using the following statement in my config "access-list IN permit tcp object-group EXCHANGE_SERVERS object-group SMTP_servers object group SMTP" what is the meaning of the above statemen | |||||||||||||||||||
|
Posted by Gabriele Beltrame on September 8, 2008, 1:50 pm
Please log in for more thread options | Hi, | I needed help in understanding the following in the Cisco PIX | config , | I have network Object-Groups named SMTP_SERVERS,EXCHANGE_SERVERS | And a Service object-group named SMTP | | My Query is then why should I be using the following statement in my | config | | "access-list IN permit tcp object-group EXCHANGE_SERVERS object-group | SMTP_servers object group SMTP" | | what is the meaning of the above statemen Hi, In the access list above EXCHANGE_SERVERS group represents the source address(es), the SMTP_servers group represents the destination address(es) and the SMTP group represents the destination port(s). The use of the various group types is merely an administration convenience. Regards, Gabriele | |||||||||||||||||||
|
Posted by bruce on September 9, 2008, 2:28 am
Please log in for more thread options
8-b1e1-111049e3da13@t1g2000pra.googlegroups.com... > and the SMTP group represents the destination port(s).
e.
> The use of the various group types is merely an administration convenienc= >
Hi Gabriele,
> Regards, > Gabriele Thanks for your response , made things more clear to me ,Though there is some more clarification could you please help out In the Following Config: nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security10 object-group network SMTP_SERVERS network-object host 129.17.10.51 network-object host 129.17.10.52 network-object host 129.17.10.53 network-object host 129.17.10.54 access-list out permit tcp host 203.17.40.10 host 205.198.114.54 eq smtp access-list out permit tcp any host 205.198.114.55 eq https access-list out permit tcp host 203.17.40.11 host 205.198.114.54eq smtp access-list out permit tcp any host 205.198.114.53 eq smtp access-list out permit tcp host 203.17.40.3 host 205.198.114.54eq smtp logging host DMZ 129.17.10.53 ip address outside 205.198.114.49 255.255.255.240 ip address inside 129.17.10.30 255.255.255.240 ip address DMZ 129.17.10.78 255.255.255.240 global (outside) 1 interface global (DMZ) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0 static (DMZ,outside) 205.198.114.54 129.17.10.51 netmask 255.255.255.255 0 0 static (DMZ,outside) 205.198.114.53 129.17.10.52 netmask 255.255.255.255 0 0 static (DMZ,outside) 205.198.114.55 129.17.10.50 netmask 255.255.255.255 0 0 static (inside,DMZ) 129.17.8.128 172.27.8.128 netmask 255.255.255.128 0 0 static (DMZ,outside) 205.198.114.56 129.17.10.54 netmask 255.255.255.255 0 0 static (DMZ,outside) 205.198.114.57 129.17.10.55 netmask 255.255.255.255 0 0 static (DMZ,outside) 205.198.114.58 129.17.10.53 netmask 255.255.255.255 0 0 access-group out in interface outside access-group inside in interface inside access-group dmz in interface DMZ route outside 0.0.0.0 0.0.0.0 205.198.114.50 1 Notice in the above mentioned config there R no corresponding access- list statements for some of the static mappings ? will they work with this type of static mapping for the DMZ , also there is one Static mapping mapped to the same ip address I cannot figure this out thirdly there is the 0 0 statement at the end of the static mapping what is it for ?? | |||||||||||||||||||
|
Posted by Gabriele Beltrame on September 9, 2008, 6:04 am
Please log in for more thread options
>Hi Gabriele,
> Thanks for your response , made things more clear to >me ,Though there is some more clarification could you please help out >In the Following Config: >... >... > >static (DMZ,outside) 205.198.114.54 129.17.10.51 netmask 255.255.255.255 0 >0 >static (inside,DMZ) 129.17.8.128 172.27.8.128 netmask 255.255.255.128 0 0 > >access-group out in interface outside >access-group inside in interface inside >access-group dmz in interface DMZ > > Notice in the above mentioned config there R no corresponding access- >list statements for some of the static mappings ? will they work with >this type of static mapping for the DMZ , >also there is one Static mapping mapped to the same ip address I >cannot figure this out >thirdly there is the 0 0 statement at the end of the static mapping >what is it for ?? Hi, It has been a while since I last configured an PIX/ASA but generally a connection is always permitted from a higher security interface to a lower security one as soon as an address translation can be done. (on FSWM an ACL must always be in place); from the config statements it seems that there should also be the "inside" and "dmz" acls around (unless they've been deleted) The "0 0" after the statics are most likely the TCP "max connections limit" (none in this case) and TCP "embryonics limit" (none in this case). Regards, Gabriele | |||||||||||||||||||
> | =A0I needed help in understanding the following in the Cisco PIX
> | config ,
> | =A0I have network Object-Groups named SMTP_SERVERS,EXCHANGE_SERVERS
> | =A0And a Service object-group named SMTP
> |
> | My Query is then why should I be using the following statement in my
> | config
> |
> | "access-list IN permit tcp object-group EXCHANGE_SERVERS object-group
> | SMTP_servers object group SMTP"
> |
> | =A0what is the meaning of the above statemen
>
> Hi,
>
> In the access list above =A0EXCHANGE_SERVERS group represents the source
> address(es), the SMTP_servers group represents the destination address(es=