Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco Pix 506e
- Thread starter aurura
- Start date
robrichardson
Programmer
unfortunately aurura the answer isnt so simple. It depends upon which direction you want traffic to be allowed, the interface which the traffic flows, source and destination.
NAT (Network address translation) and security levels (with the PIX) also play a big part. With security levels you could have 2 interfaces
e1 (inside) - perhaps your company network
e0 (outside) - connected to an ADSL router
by default e0 would be security 0 and e1 - security 100. As long as a route is present traffic from e1 to e0 would be allowed through the PIX (stateful filtering allows the PIX to remember what went out and when a packet is sent back depending on what your allowing through the packet is either dropped or sent through), in a nutshell traffic coming in the other direction would just be dropped - this because of security levels.
Access-lists are the best way to open specific ports using the above. For example to allow hosts to connect on port 80 from e0 to a web server on the e1 interface would require a static command:
static (inside, outside) outside.ip.address.here netmask inside.ip.address.here netmask
You could use 0.0.0.0 0.0.0.0 instead of specific IP addresses to state all hosts.
An access-list is then used to open your ports which is then grouped to an interface
Could you be a bit more specific about what your trying to do?
A simple example would be to allow all hosts connected on 1 interface access
NAT (Network address translation) and security levels (with the PIX) also play a big part. With security levels you could have 2 interfaces
e1 (inside) - perhaps your company network
e0 (outside) - connected to an ADSL router
by default e0 would be security 0 and e1 - security 100. As long as a route is present traffic from e1 to e0 would be allowed through the PIX (stateful filtering allows the PIX to remember what went out and when a packet is sent back depending on what your allowing through the packet is either dropped or sent through), in a nutshell traffic coming in the other direction would just be dropped - this because of security levels.
Access-lists are the best way to open specific ports using the above. For example to allow hosts to connect on port 80 from e0 to a web server on the e1 interface would require a static command:
static (inside, outside) outside.ip.address.here netmask inside.ip.address.here netmask
You could use 0.0.0.0 0.0.0.0 instead of specific IP addresses to state all hosts.
An access-list is then used to open your ports which is then grouped to an interface
Could you be a bit more specific about what your trying to do?
A simple example would be to allow all hosts connected on 1 interface access
- Status
Similar threads