1. Home
  2. Cisco Systems
  3. Need to allow PCAnywhere traffic through PIX515e

Need to allow PCAnywhere traffic through PIX515e

I need help with configuring a PIX 515e to allow for PCAnywhere traffic to punched through to an internal IP address (192.168.13.5) I dont know if I just need a static (inside,outside) rule or if I will need to configure an access list as well. My preference is to only allow PCanywhere traffic from a particular remote vendor.

Thanks a bunch for any help

here is my config

sh run

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password uLC2sIgP.qj/a6Uf encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall1 domain-name xxx.com clock timezone MST -7 clock summer-time MDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any 192.168.1.0

255.255.255.240 access-list inside_outbound_nat0_acl permit ip any 192.168.102.192 255.255.255.224 access-list inside_outbound_nat0_acl permit ip any 192.168.1.192 255.255.255.224 access-list outside_cryptomap_dyn_100 permit ip any 192.168.1.0 255.255.255.240 access-list outside_cryptomap_dyn_120 permit ip any 192.168.102.192 255.255.255.224 access-list outside_cryptomap_dyn_140 permit ip any 192.168.1.192 255.255.255.224 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside xxx.xxx.xxx.xxx 255.255.0.0 ip address inside 192.168.0.254 255.255.0.0 ip audit info action alarm ip audit attack action alarm ip local pool vendor 192.168.1.1-192.168.1.9 mask 255.255.0.0 ip local pool vendor 192.168.102.200-192.168.102.209 mask 255.255.0.0 ip local pool vendor 192.168.1.200-192.168.1.209 mask 255.255.0.0 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside pdm logging notifications 100 pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable trap floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100 crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120 crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140 crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup XXX address-pool vendor vpngroup XXX idle-time 1800 vpngroup XXX password ******** vpngroup vendor address-pool vendor vpngroup xxx idle-time 1800 vpngroup vendor password ******** vpngroup vendor address-pool vendor vpngroup vendor idle-time 1800 vpngroup xxx password ******** telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:c62be99378c0aa17a0c37d2e06cd0f2c end pixfirewall1#
Reply to
bigl
Loading thread data ...

I noticed that you currently do not have an ACL applied to your outside interface. If you cut it out of your posted config for security reasons just replace "outside_access_in" with whatever the name of the current ACL is. Is the PCAnywhere data coming from a specific host/network? If it is, replace "any" with that specific host/network.

x.x.x.x is whatever your public IP is.

static (inside,outside) x.x.x.x 192.168.13.5 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-list outside_access_in permit tcp any host x.x.x.x eq pcanywhere-data access-list outside_access_in permit udp any host x.x.x.x eq pcanywhere-status

Hope this works for you.

Reply to
bogon2827

Reply to
bigl

That's correct Add the static statement: static (inside,outside) x.x.x.x 192.168.13.5 netmask 255.255.255.255

Create the ACL: access-list outside_access_in permit tcp any host x.x.x.x eq pcanywhere-data access-list outside_access_in permit udp any host x.x.x.x eq pcanywhere-status you can replace the "any" keyword for a specific network with: access-list outside_access_in permit tcp "network" "subnet-mask" host x.x.x.x eq pcanywhere-data as an example

Apply the ACL to an interface: access-group outside_access_in in interface outside

you can pretty much copy & paste the statements above(substitute the appropriate info.)

Reply to
bogon2827

In your latest post where it states "access-list outside_access_in permit tcp "network" "subnet-mask" host x.x.x.x eq pcanywhere-data" the x.x.x.x eq pcanywhere-data what do I put in the x.x.x.x part? 192.168.13.5?

Reply to
bigl

Reply to
bogon2827

Thanks for your help, it is very much appreciated

Reply to
bigl

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.