if someone fixes the command inside I shut up for 1 week ;P

[caswcu]

2.3.4.5 is a public ip

192.168.1.150 behind the pix 506e

i want to only allow address that begin with 69.248 and on subnet 255.255.248.0 in

Also any security risks below?

static (inside,outside) tcp 2.3.4.5 22011 192.168.1.150
22011 netmask 255.255.255.255 0 0

access-list UPS_Outside permit tcp 69.248.0.0 255.255.248.0 host 2.3.4.5 eq 22011

access-group UPS_Outside in interface outside

 

[dopehead]

and what is your question again ? the commands stated here re fine. Is this not working or what ?

Anytime you open up a port in a firewall there is a security risk, you just need to take a broader look at what is behind that firewall and secure that as good as possible.

One thing to remember is that once that hole is punched in the firewall, the security perimeter is effectively moved to the host running the software listening on port 22011 and if it is badly written/has flaws the firewall is no use.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec