I have a PIX 515e ver 6.3 and it was setup before I got it. It has access groups and access lists already setup but I need to add a couple more entries. Specifically I need to open one way inbound tcp traffic from only one IP address and a second entry to allow two way tcp traffic on a second port also going to only one IP address but can come from all inside hosts.
I'm thinking I would make the entries like this but I wasn't sure if I'm going about this right:
You can only have 1 access list per interface. The names you have used suggest that you planned to create new access lists and planned to attempt to apply these lists as well as keeping the old lists. You can't do that: one list per interface only. (In 7.x, it becomes one list per direction per interface.)
If 1111 is the destination port, the one that the remote user/program attempts to connect -to-, then
However, it is not -possible- to have "one way inbound tcp traffic". TCP *requires* that packets be sent back from the destination host to the originating host. You cannot even get a TCP connection without at least one reply packet back to the originator.
The above entry, when triggered, will automatically have the PIX open the appropriate return channel for tcp traffic.
If by "two way tcp traffic" you just mean normal TCP traffic, then the entry you showed is fine; that is,
access-list acl_out permit tcp any host REMOTEPUBLICIP2 eq 2222
You will not need a 'static' for this.
But if by "two way tcp traffic" you meant that you want that one remote host to be able to initiate connections to all of your local hosts, then you will need a little more configuration.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.