ACL changes need expert review please

I'm looking for some expert help to verify my command entries please.

My current PIX501 configuration is as follows, minus parts I don't think are needed to answer this.

----Parts omitted---- object-group service ABC tcp port-object eq smtp port-object eq 3389 port-object eq https access-list 100 permit tcp any any object-group ABC access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable

----Parts omitted---- icmp permit any outside icmp permit any inside

----Parts omitted---- static (inside,outside) tcp interface https 192.168.2.2 https netmask

255.255.25 5.255 0 0 static (inside,outside) tcp interface 3389 192.168.2.2 3389 netmask 255.255.255. 255 0 0 static (inside,outside) tcp interface smtp 192.168.2.2 smtp netmask 255.255.255. 255 0 0 access-group 100 in interface outside

----Parts omitted----

I want to change the configuration so that smtp goes to a different internal address and so only certain IP's can access server via 3389. No change to https. I don't care if I keep the object-group (someone else had helped me with that one a while back).

The following are the commands that I believe will need to be entered in order to do these things. X.x.x.x designates the outside IP addresses individually one each. 192.168.2.4 is the new address to send SMTP traffic to.

Conf t No port-object eq smtp No port-object eq 3389 No port-object eq https No object-group service abc tcp No access-list 100 permit tcp any any object-group abc No static (inside,outside) tcp interface smtp 192.168.2.2 smtp netmask

255.255.255.255 0 0 Access-list 100 permit tcp host x.x.x.x host 192.168.2.2 eq 3389 Access-list 100 permit tcp host x.x.x.x host 192.168.2.2 eq 3389 Access-list 100 permit tcp any any eq https Access-list 100 permit tcp any any eq smtp Static (inside,outside) tcp interface smtp 192.168.2.4 smtp netmask 255.255.255.255 0 0 Write mem

Do I have it right and in the right order? What am I missing or written wrong? Also, do I have a security risk with my current ICMP configurations? What would you change there and why?

Thanks in advance

Reply to
Rick
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.