Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Would like a range of 20 PC's access to the internet via the PIX

Status
Not open for further replies.
geranimo666

geranimo666

Technical User
Sep 19, 2006
195
US
Hello-

So what is the best way of doing this...

I have appointed 20 pc's static IP's on a 10.1.23.x range and they need to get out to the web for various reasons. would this be an extended access-list? a static route? not sure what the right method is here. The perimeter router let's traffic outside from what I can tell and do feel I'd need to make these entries at the router (I could be wrong here) but what could I do at the pix515 to try it at least?

thanks for any info
geranimo
 
Sort by date Sort by votes
One line for each IP.
access-list outbound permit host 10.1.23.x any

access-list outbound in interface inside

Or if you want to restrict it to certain ports - one for each port and IP combination
access-list outbound permit host 10.1.23.x any eq 80 (or whatever port # you need)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hey thanks Brent

For the second option concerning ports, would I need to also apply it to the interface "inside"?

thanks again

geranimo
 
Upvote 0 Downvote
Yes. It would be the same. It restricts traffic inbound to that interface.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
All-

I type the commands above but I receive an error :
pix2(config)# access-list 101 permit host 10.1.23.125 any eq 80
ERROR: invalid protocol host
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:


I used both types --> just permit host any and the more specific any eq 80.. received same error. thinking there is a syntax issue..

thanks for any support
geranimo
 
Upvote 0 Downvote
It should be

access-list 101 permit tcp host 10.1.23.125 any eq 80
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
2K
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
965
Sameer258
Sameer258
Miluis
  • Question
How necessary is an antivirus?
Replies
3
Views
211
Rick998
Rick998
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
755
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
689
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top