How to allow a vpn user to access only one server inside the PIX? 5

[drmohlen]

I was wondering if any one can give me some clues on how can I add a Translation Rule (or Access rule) to allow a VPN user with public IP address of 83.x.x.x to access only one server with IP address of 192.x.x.x inside the PIX515e.

Many Thanks

 

[KiscoKid]

access-list outside-in permit ip 83.x.x.x 192.x.x.x
access-group outside-in in interface outside

Your static will depend on how the host 192.x.x.x should appear to the outside world. If you want it to appear as it's real address, you can do the following;

static(inside, outside) 192.x.x.x. 192.x.x.x netmask 255.255.255.255

 

[drmohlen]

I am getting the following error message after inserting the first line:
access-list outside-in permit ip 83.x.x.x 192.x.x.x

ERROR: Source address,mask <83.x.x.x,192.x.x.x> doesn't pair
Usage: [no] access-list compiled

access-group outside-in in interface outside is lready exist in the configartion.
Any idea what do I need to do?

 

[lgarner]

Put "host" before each address, or use appropriate subnet masks.

 

[leploep]

OK this was very helpful for me.

But I also have some mobile users wanting to connect through vpn, so they don't have fixed ip's.

So i've put the following lines in:

access-list outside-in permit ip any host x.x.x.x
access-group outside-in in interface outside

It works like a charm, but i'm wondering if i did this right concerning security. Did i open too much this way?

Thanks in advance for your wisdom

 

[leploep]

Hmm, i found out that after adding the lines in above post, our website was unreachable. So suspect the "any" was redirecting all traffic to x.x.x.x. Can someone confirm this?

 

[Supergrrover]

Yes,
The any IP will allow all IP traffic to that destination and no other. The Statics actually do the redirection, the ACL just allows it to happen.

Just allow whatever you want specifically.
You want to change the ACL to allow the ip pool for your vpn users to access.

access-list outside-in permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside-in permit tcp any host External IP eq 80
- where 192.168.12.0 is the IP pool you gave your vpn users and 10/24 is the internal network.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[leploep]

Thanks a very lot. This is exactly what i needed.

It turns out that this PIX was setup with the older "conduit" method and the acces-list was overriding all the conduit's. I now see that the port forwarding can also be done with this list.

I'm goin to have to re-set it up i guess.

 

[drmohlen]

May I ask a similiar question with similiar senario but this time I would like to give access to an outside IP address of 83.x.x.x to access a server on the our DMZ with the ip address of 192.168.10.14 ?? I know it would be very similiar to the above but I would like to make sure I am applying the correct changes to the live PIX!