Conduit question by newbie

[pmandra]

Hi,

I need to let a public ip address (let's use 5.5.5.5) from outside the network into our public network through our Pix firewall. Would this command allow such a thing?


conduit permit tcp any host 5.5.5.5

 

[Supergrrover]

The best way is to do an access control list and a static mapping. I would stay away from conduits, not as much control and Cisco is trying to convert to ACLs.

access-list inbound permit tcp any host [ExternalIP] eq [port#]
access-list inbound deny ip any any
access-group inbound in interface outside
static (inside,outside) tcp [ExternalIP] [port#] [InternalIP] [port#] netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[pmandra]

Thank you very much. A quick follow-up relating to this line:

static (inside,outside) tcp [ExternalIP] [port#] [InternalIP] [port#] netmask 255.255.255.255

Is the [Intenral IP] any available ip address on my private (i.e, 192.168.x.x) network, or is this something else?

 

[Supergrrover]

It is the IP of the internal server that doing web, email, whatever service that you are providing to the outside world.

Or are you talking about a VPN? (where you are letting someone external to your network act as though they are inside your firewall)

Totally different setups.


Brent
Systems Engineer / Consultant
CCNP, CCSP