I need to allow the following:
any host coming in, going to x.x.38.16 on port 389, route to x.x.38.16
any host coming in, going to x.x.38.16 on port 443, route to x.x.38.17
This worked ok with the partial config shown below. My problem is that I need to allow a master backup host to access all systems on ports 512 thru 5000. This is where I have trouble with x.x.38.17. I don't have the backup software so I set up webservers using ports 80 through 90 so I could test the port range. I also allowed any host instead of a specific host . I added the following statements to the partial config:
access-list acl_out permit tcp any host 164.117.38.17 range 80 90
access-list acl_out permit tcp any host 164.117.38.16 range
This didn't work. However, when I use the 2 above access lists without the range and just the "eq 80" , "eq 81" etc. it works. This leads me to believe that I would have to have 4088 separate access lists. Is this right? Cisco claims it is, but I was hoping that someone out there might have a better idea. I would appreciate any help and suggestions.
tks,
Yowza
Partial config:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
fixup protocol http 80
no fixup protocol h323 1720
no fixup protocol skinny 2000
no fixup protocol sip 5060
no fixup protocol smtp 25
no fixup protocol rsh 514
no fixup protocol ftp 21
no fixup protocol sqlnet 1521
no fixup protocol rtsp 554
names
access-list acl_out permit tcp any host 164.117.38.17 eq 389
access-list acl_out permit tcp any host 164.117.38.17 eq 443
access-list acl_out permit tcp any host 164.117.38.16 eq 389
access-list acl_out permit tcp any host 164.117.38.16 eq 443
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging history debugging
logging host intf2 192.168.0.2
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.38.x 255.255.255.0
ip address inside 161.x.x.x 255.255.255.0
ip address intf2 192.x.x.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 100 x.x.38.16
nat (inside) 100 x.x.x.20 255.255.255.255 0 0
nat (inside) 100 x.x.x.110 255.255.255.255 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.38.16 389 x.x.x.20 389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.38.16 443 x.x.x.110 443 netmask 255.25
5.255.255 0 0
access-group acl_out in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.38.17
****************************************************
any host coming in, going to x.x.38.16 on port 389, route to x.x.38.16
any host coming in, going to x.x.38.16 on port 443, route to x.x.38.17
This worked ok with the partial config shown below. My problem is that I need to allow a master backup host to access all systems on ports 512 thru 5000. This is where I have trouble with x.x.38.17. I don't have the backup software so I set up webservers using ports 80 through 90 so I could test the port range. I also allowed any host instead of a specific host . I added the following statements to the partial config:
access-list acl_out permit tcp any host 164.117.38.17 range 80 90
access-list acl_out permit tcp any host 164.117.38.16 range
This didn't work. However, when I use the 2 above access lists without the range and just the "eq 80" , "eq 81" etc. it works. This leads me to believe that I would have to have 4088 separate access lists. Is this right? Cisco claims it is, but I was hoping that someone out there might have a better idea. I would appreciate any help and suggestions.
tks,
Yowza
Partial config:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
fixup protocol http 80
no fixup protocol h323 1720
no fixup protocol skinny 2000
no fixup protocol sip 5060
no fixup protocol smtp 25
no fixup protocol rsh 514
no fixup protocol ftp 21
no fixup protocol sqlnet 1521
no fixup protocol rtsp 554
names
access-list acl_out permit tcp any host 164.117.38.17 eq 389
access-list acl_out permit tcp any host 164.117.38.17 eq 443
access-list acl_out permit tcp any host 164.117.38.16 eq 389
access-list acl_out permit tcp any host 164.117.38.16 eq 443
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging history debugging
logging host intf2 192.168.0.2
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.38.x 255.255.255.0
ip address inside 161.x.x.x 255.255.255.0
ip address intf2 192.x.x.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 100 x.x.38.16
nat (inside) 100 x.x.x.20 255.255.255.255 0 0
nat (inside) 100 x.x.x.110 255.255.255.255 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.38.16 389 x.x.x.20 389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.38.16 443 x.x.x.110 443 netmask 255.25
5.255.255 0 0
access-group acl_out in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.38.17
****************************************************