Access List

I have a PIX 515e ver 6.3 and it was setup before I got it. It has access groups and access lists already setup but I need to add a couple more entries. Specifically I need to open one way inbound tcp traffic from only one IP address and a second entry to allow two way tcp traffic on a second port also going to only one IP address but can come from all inside hosts.

I'm thinking I would make the entries like this but I wasn't sure if I'm going about this right:

access-list acl_in_1111 permit tcp host eq 1111 host access-list acl_out_2222 permit tcp any host eq 2222

I know I can try the changes and test it but I am new to Cisco devices and just want a second or third opinion.



Reply to
Loading thread data ...

You can only have 1 access list per interface. The names you have used suggest that you planned to create new access lists and planned to attempt to apply these lists as well as keeping the old lists. You can't do that: one list per interface only. (In 7.x, it becomes one list per direction per interface.)

If 1111 is the destination port, the one that the remote user/program attempts to connect -to-, then

access-list acl_in permit tcp host REMOTEPUBLICIP host LOCALPUBLICIP eq 1111

However, it is not -possible- to have "one way inbound tcp traffic". TCP *requires* that packets be sent back from the destination host to the originating host. You cannot even get a TCP connection without at least one reply packet back to the originator.

The above entry, when triggered, will automatically have the PIX open the appropriate return channel for tcp traffic.

You should ensure that you have either

static (inside,outside) LOCALPUBLICIP LOCALPRIVATEIP netmask OR static (inside,outside) tcp LOCALPUBLICIP 1111 LOCALPRIVATEIP 1111 netmask

If by "two way tcp traffic" you just mean normal TCP traffic, then the entry you showed is fine; that is,

access-list acl_out permit tcp any host REMOTEPUBLICIP2 eq 2222

You will not need a 'static' for this.

But if by "two way tcp traffic" you meant that you want that one remote host to be able to initiate connections to all of your local hosts, then you will need a little more configuration.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.