PIX 525: Restricting www access

In article , Jon Doe wrote: :I'm new to PIX configs and I have a question. I'd like to put on of my :companies intranet sites out on the internet, but I'd like only specific IP :addresses to be able to connect to it. Please help me confirm if these are :the right commands:

:access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https

Those are plausible, provided that 65.25.x.x is a remote host that you want to permit access from and 208.242.x.x is the -public- address of the local host that you want to permit access to.

You will also need

access-group outside in interface outside

(the first 'outside' being the name of the ACL.)

You will also need a 'static' command to make the connection between the public IP 208.242.x.x and the internal private IP of the appropriate computer. Even if the public IP is the same as the private IP, you will still need a 'static' command to tell the PIX that it is okay to allow the packets through:

static (inside,outside) 208.242.x.x 192.168.242.15 netmask 255.255.255.255 0 0

or

static (inside,outside) 208.242.x.x 208.242.x.x netmask 255.255.255.255 0 0

{ To be a bit more complete:

- in some cases, there is one particular form of the 'nat' command that might be useable instead of 'static'

- instead of static'ing the entire IP address, you could be more specific, static (inside,outside) tcp 208.242.x.x www 192.168.242.15 www netmask

Ok it worked. Thanks much!