llyodsev: need your advise

[caswcu]

I was thinking about what you said yesterday

here is a snipped of our config on the pix 506e. ip address are changed to protect the innocent

ip address outside 2.3.4.6 255.255.255.224
route outside 0.0.0.0 0.0.0.0 2.3.4.5 1

we own ip address 2.3.4.6-2.3.4.36 . i just noticed that route outside line is not correct. or I misunderstand route outside.

anyhow say I want to take ip 2.3.4.9 and have all incomming traffic go to a machine inside on 192.168.1.150 . would i use the below and modify it?

access-list UPS_Outside permit tcp 69.248.0.0 255.255.248.0 host 2.3.4.9 eq 22011

access-group UPS_Outside in interface outside

static (inside,outside) tcp interface 22011 192.168.1.150 22011 netmask 255.255.255.255 0 0

 

[LloydSev]

you would remove the port #s if you wanted all traffic to goto one machine.. and then change "interface" to 2.3.4.9 and obviously change the ACL accordingly.

Computer/Network Technician
CCNA

 

[caswcu]

I would change the word interface in the static and access-group correct? and I only want 22011 open thats it..

I apperciate your help.

 

[LloydSev]

yes, just change the word interface to the External IP you want.. and then change it accordingly in the ACL.

Computer/Network Technician
CCNA

 

[caswcu]

ok almost there. why does "this doesnt" section not work?

2.3.4.5 is a public ip

192.168.1.150 in internal
this works:

static (inside, outside) 2.3.4.5 192.168.1.150
access-list UPS_Outside permit tcp any host 2.3.4.5 eq 22011
access-group UPS_Outside in interface outside


this doesnt:
static (inside, outside) 2.3.4.5 192.168.1.150
access-list UPS_Outside permit tcp 69.248.0.0 255.255.248.0 host 2.3.4.5 eq 22011
access-group UPS_Outside in interface outside

 

[LloydSev]

well that shouldn't work either way as your missing the "netmask 255.255.255.255" statement on them both.


The only reason I can see why the one does not work, is because the subnet mask or IP range much be incorrect, as that is the only difference between the two.

That's where I'd look, as that is where the problem is.

Computer/Network Technician
CCNA

 

[LloydSev]

OK.. the problem lies in the subnet range...

69.248.0.0 255.255.240.0 would include IPs starting from
69.248.0.0 to 69.248.15.255


We need to know which actual subnet you are trying to connect with.. my guess is it isn't 69.248.0.0, but another subnet like 69.248.16.0

Computer/Network Technician
CCNA

 

[caswcu]

69.248.119.z

 

[LloydSev]

static (inside,outside) tcp 2.3.4.5 22011 192.168.1.150 22011 netmask 255.255.255.255 0 0
access-list UPS_Outside permit tcp 69.248.112.0 255.255.248.0 host 2.3.4.5 eq 22011
access-group UPS_Outside in interface outside

Computer/Network Technician
CCNA

 

[LloydSev]

I'm sorry... the ACL is wrong.

access-list UPS_Outside permit tcp 69.248.112.0 255.255.240.0 host 2.3.4.5 eq 22011

Computer/Network Technician
CCNA

 

[caswcu]

ok, this is great. Ill have to test it monday. can you explain really quickly why its 69.248.112.0 instead of generic 69.248.0.0 ?? What if I want to allow all ips in the range of 69.248.0.0 - 69.248.255.255 ??

 

[caswcu]

i guess its all relative to this:

Netmask 255.255.255.240 /28 (11111111.11111111.11111111.11110000)
16 subnets
x.x.x.0 x.x.x.15
x.x.x.16 x.x.x.31
x.x.x.32 x.x.x.47
x.x.x.48 x.x.x.63
x.x.x.64 x.x.x.79
x.x.x.80 x.x.x.95
x.x.x.96 x.x.x.111
x.x.x.112 x.x.x.127
x.x.x.128 x.x.x.143
x.x.x.144 x.x.x.159
x.x.x.160 x.x.x.175
x.x.x.176 x.x.x.191
x.x.x.192 x.x.x.207
x.x.x.208 x.x.x.223
x.x.x.224 x.x.x.239
x.x.x.240 x.x.x.255

 

[lgarner]

To allow all addresses from 69.248.0.0 - 69.248.255.255, your subnet mask would be 16 bits or 255.255.0.0.

 

[LloydSev]

yes.. that would be easy enough, but I don't think he wants to allow all of that traffic in..

but if he does.. more power..

caswcu, when you allow 60.248.0.0 255.255.240.0, it only allows 60.248.0.0 to 60.248.15.255

this is why you start at 112, so it allows your specific range that you are being allocated.

It's close to what you showed, but with 20 bits instead. It gives 16 subnets, but much larger ones.

Computer/Network Technician
CCNA

 

[caswcu]

llyodsev:

thanks for all your help. I understand networking but cisco im still a noob with. actually the 69. network was just for demostration. I would allow a whole set of ips from someone else.

Today we're going live with this product. so either Ill be here crying that i Have problems or Ill be jumping for joy!

 

[LloydSev]

well, we'll be here to help if ya need anything.

Computer/Network Technician
CCNA