This posting is mainly for myself, so I have reference when I come back to configure this firewall. I am not a cisco person. This is not the whole story here, just highlights for me. Please do not take any of this as golden as it is just notes for me and maybe incorrect at this time.
I had to configure a cisco pix the other day, it was setup for natting. Now I had to add ntp and dns access.
So I assumed I would have to setup an access list and assign it.
However in doing this I broke existing connectivity.
It appears that by setting up global natting the firewall then allows all access via this nat.
When I applied my access list to allow connectivity to the new service, it actually stopped existing access.
So by applying the access rule, it then stopped the default all access and only allowed access to the rules I had setup. So to get service back I had to either unbind the access-list which restored the all access or add the rules as and when (my preferred option).
setup named objects
name <ip> <name>
setup object-group
object-group <object group name>
description <description>
network-object host <name – as configured with name>
setup access-list (early versions of pix only allow numbered (id) access lists)
access-list <acl id> permit <protocol> any object-group <object group name> eq <port>
bind acl to interface
access-group <id> in interface inside
Global nat (apply to all traffic)
global (outside) 1 <start ext ip range>-<finish ext ip range> netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
No comments:
Post a Comment