I am testing our new webserver that will replace our existing one - I have assigned it a public IP - I want to create a rule on the PIX 506 to allow any traffic from that webserver inside.
Would I simply enter our existing config and on the command line enter
access-list out_in permit tcp any host eq any
and thats it ?? would I need to enter this as well
That would have to do with permitting new tcp connections to the server, not with permitting the traffic -from- the inside webserver to outside.
That tends to suggest you are concerned about new connections from outside to inside.
You asked about "any traffic", but you have permitted only tcp traffic. Change the 'tcp' to 'ip' for "any traffic" (or as close as the PIX gets.) The PIX won't allow through IPX traffic, for example, and it will not allow through tcp packets that suddenly appear "mid conversation" or tcp packets with incorrect sequence numbers, so it isn't the same as "all traffic"... but it's probably what you really want anyhow.
You will need a 'static' command or a 'nat 0 access-list' command that matches the public IP of the server to the internal IP, even if the internal IP is the same as the public IP. The PIX uses a two-part test: there has to be a translation to get the packet to the right place, and the attempted traffic must fit within the access controls configured via the access-group command.
I basically have the webserver outside the firewall trying to access a DB inside the firewall on ports 3050 and 3051 - I want to test it out without creating a long ACL. So I want to allow any tcp traffic on any port coming from our Webserver to our DB server temporarily to make sure it works. I want to know if I have to clear the existing NAT stuff in order to populate this new rule or if I can just add it in.
Not if you only -modify- the access-list named. If you completely delete the access-list named then the PIX will immediately remove the access-group command from the configuration -- so if you want to update an access list by clearing it and entering the new version, you have to re-enter the access-group command. That does not apply if you change the access-list in place without removing it.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.