What would an access-list command look like to allow incoming https from a specific IP address going to all clients on the network?
Thanks,
Paul
What would an access-list command look like to allow incoming https from a specific IP address going to all clients on the network?
Thanks,
Paul
Also...Would it be a good idea to use the Established command for incoming ports? All the connections that would be initiated would be started inside on my end.
Paul
So you would want HTTPS connections from the internet to be NAT'd to all workstations in your network?
permit tcp host specific any eq https
No. Besides auth in response to smtp/irc/... established is not needed.
That's not the way Internet is working.
access-list permit tcp host x.x.x.x any eq https
Please note, this is only the ACL, you will still need to create static entries for NAT translations to all hosts you want to NAT for this situation.
If you have a substantial list of hosts, you could use object-groups or use bi-directional NAT statements and a clearly defined nat ACL.
If the connections are established from the inside, there is no need to open 443 (HTTPS) at all. By default, the PIX permits all outbound connections, and blocks all incoming (if initiated from the outside).
If you initiate from the inside, the PIX has a function called the ASA (Adaptive Security Algorithm) which makes a stateful connection ensuring responses to connections established from the inside are permitted back in. For instance, you could have an inbound ACL which denied everything, and connections originating from the inside would permit the return traffic.
The only thing that would need to be configured on a new pix to permit outbound connections would be to setup global NAT settings.
Ryan
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.