1. Home
  2. Cisco Systems
  3. Cisco PIX

Cisco PIX

Hello,

I am trying to allow access from lower security interface (caffe network

192.168.3.0/24) to SQL server (192.168.2.1 tcp 1433 and udp 1434) located on higer security interface (ksieg) (I know i should not do this but i need :( ) I do fallowing:

access-list caffe_to_ksieg permit tcp 192.168.3.0 255.255.255.0 host

192.168.2.1 eq 1433 access-list caffe_to_ksieg permit udp 192.168.3.0 255.255.255.0 host 192.168.2.1 eq 1434 access-group caffe_to_ksieg in interface caffe static (ksieg,caffe) 192.168.2.1 192.168.2.1 netmask 255.255.255.255 0

After that I am able to connect from 192.168.3.0/24 to 192.168.2.1 to 1433/tcp and 1434/udp but also i lost access from 192.168.3.0/24 to outside interface, so i lost my access to internet from that network.

Is there any way to permit access from my lower to higer to specific ports with specific protocol and also don't loose access to ouside interface??

Please help Thanks!

PS. Pix 506e with vlans

Reply to
bohateur
Loading thread data ...

There's an implicit "deny ip any any" at the end of an access list so the permits in your list are the only traffic that's now allowed. What you probably want to do is add a line denying all other traffic from caffe to ksieg then permitting any other traffic, like this:

access-list caffe_to_ksieg permit tcp 192.168.3.0 255.255.255.0 host

192.168.2.1 eq 1433 access-list caffe_to_ksieg permit udp 192.168.3.0 255.255.255.0 host 192.168.2.1 eq 1434 access-list caffe_to_ksieg deny ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list caffe_to_ksieg permit ip any any

Sam

Reply to
Sam Wilson

Sam Wilson pisze:

Thank you! Now it works fine and i understand what happend. I have one more question. Cisco PIX default permit access from higer security to lower security interface. But i need to use global to use that, right? But if i use global on lower security than i have full IP access from higer to lower, so full access to all hosts on lower security interface. Is there any way to gain access from higer security to only one specific host on lower security and only to SQL Server (1433tcp 1434udp).

Adam

Reply to
bohateur

Not necessarily - depends on whether you're actually translating addresses or not - I think we'd have to see more of your configuration to be able to help.

Yep, access lists again, applied either inbound on the higher security interface or outbound on the lower security one.

Sam

Reply to
Sam Wilson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.