Home > Archive > CCDA/CCDP > July 2002 > I guess I'll just ask a PIX question





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author I guess I'll just ask a PIX question
Tommy

2002-06-19, 12:29 pm

I have a device that has a real world IP address on it lets say its 10.0.0.125 with a mask of 255.255.255.240 that sits in a remote city. Now I have a pix firewall that protects my corp lan but I want the pix to open all ports for that IP address. So if I am on my corp lan and I want to connect to the 10.0.0.125 device (a print server) than I can without the pix blocking it. Is this possible.
cahillrobert

2002-06-19, 2:24 pm

10.0.0.125 PC on Internal Network
----+------------------------------
Router (Corp1) Internal
----+----
PIX (Probably NAT)
----+---
Router External
----+----

Internet (Outside Global)

----+------------------------------
Router External
----+---
PIX (This is where the concern is )
----+---
Router (Corp2) Internal Network
----+-------------+----------------
Printer

Is this the scena
rio you are describing?
beenframed

2002-06-21, 10:08 pm

When you say real world IP address do you mean a public address (10.0.0.25 is a private address) If the device has a public address then my answer for you is this:

By default pix blocks all inbound connections and permits all outbound connections, if you haven't added any outbound denying access-lists to your pix and the device has a public ip address you should be able to access it without making any modifications to your firewall rule sets.

If the device sits behind another firewall you will need to modify the firewall (at the remote site) to allow inbound connections (default-inbound deny all, default-outbound permits all) with the proper static commands and conduits (access-list)

Your static command looks like this:

static (inside,outside) xxx.xxx.xxx.xxx (public IP) xxx.xxx.xxx.xxx (private ip) 255.255.255.255 0 0

and your conduit statement looks like:

conduit permit tcp host xxx.xxx.xxx.xxx (public address) eq any any

that should do it, you may want to follow those commands with a clear xlate and clear arp and a write mem.


-bf
chodan

2002-07-04, 8:07 am

I had to do something similar at work
We have proplr in sccounting who have access to a main frame at the university.
The need to print locally though.
So I took an inernal printer address and did a
static (inside,outside) 211.51.61.11 10.1.1.11 netmask 255.255.255.0
"not our addresses mind you "
instead of a conduit comand I did an access list, both work fine
Cisco has been claiming to get rid of the conduit command for years hehe so I`m getting out of the habit.

I gave the global address to the main frame admin and shazam it worked.
kind of weird, in order to print locally we have to set up a printer in another city.
Oh wel thats the kind of stuff you get into.
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net