https://community.cisco.com/t5/network-security/pix-525-help/m-p/170324#M600546 <P>I'm trying to get access for a server (Webserv3) in a DMZ from the internet. This is the first server I'm trying to get to from the outside. Also I'm trying to limit some of the PC's on inside networks from the internet. I think the problem is with the ACL but I'm not sure. Please respond here I'm not near my mail much.</P><P></P><P>PIX Version 6.3(1)</P><P>interface ethernet0 auto</P><P>interface ethernet1 100full</P><P>interface ethernet2 auto</P><P>interface ethernet3 auto</P><P>interface ethernet4 100full</P><P>interface ethernet5 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>nameif ethernet2 DMZ1 security30</P><P>nameif ethernet3 DMZ2 security40</P><P>nameif ethernet4 Failover security25</P><P>nameif ethernet5 State security20</P><P>enable password encrypted</P><P>passwd encrypted</P><P>hostname Pix1(Primary)</P><P>domain-name dandh.com</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>names</P><P>name 1.0.0.253 Exchange</P><P>name 192.168.1.203 Webapp2</P><P>name 192.168.1.202 Webapp1</P><P>name 192.168.1.102 Webserv1</P><P>name 192.168.1.103 Webserv2</P><P>name 192.168.1.222 Message</P><P>name 192.168.1.204 Webapp3</P><P>name 192.168.1.104 Webserv3</P><P>object-group network Webappservers</P><P> description Web App Servers on DMZ2</P><P> network-object Webapp1 255.255.255.255</P><P> network-object Webapp2 255.255.255.255</P><P> network-object Webapp3 255.255.255.255</P><P>object-group service Mail tcp</P><P> description Mail Protocols</P><P> port-object eq pop3</P><P> port-object eq smtp</P><P>object-group service FTPGroup tcp</P><P> port-object eq ftp-data</P><P> port-object eq ftp</P><P>object-group network Webservers</P><P> description Web Servers on DMZ1</P><P> network-object Webserv1 255.255.255.255</P><P> network-object Webserv2 255.255.255.255</P><P> network-object Webserv3 255.255.255.255</P><P>object-group service RPCFlaw tcp-udp</P><P> description Microsoft RPC flaw</P><P> port-object eq 4444</P><P> port-object eq 69</P><P> port-object eq 445</P><P> port-object range 135 139</P><P>object-group service Web_Access tcp-udp</P><P> port-object eq 80</P><P>access-list outside_access_in deny tcp xxx.xxx.xxx.32 255.255.255.224 object-group</P><P> RPCFlaw 1.0.0.0 255.0.0.0 object-group RPCFlaw</P><P>access-list outside_access_in permit tcp any host Message eq smtp</P><P>access-list outside_access_in permit tcp any host Message eq pop3</P><P>access-list outside_access_in permit tcp any host Webserv1 eq ftp</P><P>access-list outside_access_in permit icmp any any</P><P>access-list outside_access_in permit tcp any host xx.xx.xx.55</P><P>access-list outside_access_in2DMZ1 permit tcp any host xx.xx.xx.55</P><P>access-list 101 permit ip 1.0.0.0 255.0.0.0 1.150.150.0 255.255.255.0</P><P>access-list 101 permit ip 1.0.0.0 255.0.0.0 1.150.151.0 255.255.255.0</P><P>access-list outside_cryptomap_dyn_30 permit ip any 1.150.150.0 255.255.255.0</P><P>access-list outside_cryptomap_dyn_30 permit ip any 1.150.151.0 255.255.255.0</P><P>access-list inside_access_out permit ip host 172.21.1.1 any</P><P>access-list inside_access_out permit ip 172.21.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.21.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.24.1.1 any</P><P>access-list inside_access_out permit ip 172.24.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.24.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.28.1.1 any</P><P>access-list inside_access_out permit ip 172.28.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.28.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.29.1.1 any</P><P>access-list inside_access_out permit ip 172.29.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.29.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.30.1.1 any</P><P>access-list inside_access_out permit ip 172.30.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.30.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.36.1.1 any</P><P>access-list inside_access_out permit ip 172.36.29.0 255.255.255.0 any</P><P>access-list inside_access_out permit ip 1.0.0.0 255.0.0.0 any</P><P>access-list inside_access_out permit ip host 192.168.5.1 any</P><P>access-list inside_access_out permit ip 192.168.5.0 255.255.255.192 any</P><P>access-list inside_access_out deny ip 192.168.5.0 255.255.255.0 any</P><P>access-list inside_access_out permit ip host Webserv3 any</P><P>access-list inside_access_out permit icmp any any</P><P>access-list inside_access_out deny ip 172.36.0.0 255.255.0.0 any</P><P>access-list inside_access_out_DMZ1 permit icmp any any</P><P>access-list inside_access_out_DMZ1 permit tcp any host xx.xx.xx.55</P><P>pager lines 24</P><P>logging on</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu DMZ1 1500</P><P>mtu DMZ2 1500</P><P>mtu Failover 1500</P><P>mtu State 1500</P><P>ip address outside xx.xxx.xx.50 255.255.255.224</P><P>ip address inside 1.0.1.254 255.0.0.0</P><P>ip address DMZ1 192.168.1.100 255.255.255.240</P><P>ip address DMZ2 192.168.1.200 255.255.255.240</P><P>ip address Failover 192.168.2.100 255.255.255.248</P><P>ip address State 192.168.2.202 255.255.255.248</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>ip local pool vpnpool1 1.150.150.1-1.150.150.254</P><P>ip local pool vpnpool 1.150.151.0-1.150.151.255</P><P>failover</P><P>failover timeout 0:00:00</P><P>failover poll 15</P><P>failover replication http</P><P>failover ip address outside xx.xx.xx.51</P><P>failover ip address inside 1.0.3.254</P><P>failover ip address DMZ1 192.168.1.101</P><P>failover ip address DMZ2 192.168.1.201</P><P>failover ip address Failover 192.168.2.101</P><P>failover ip address State 192.168.2.201</P><P>failover link Failover</P><P>failover lan unit primary</P><P>failover lan interface Failover</P><P>failover lan key ********</P><P>failover lan enable</P><P>pdm location 1.10.4.167 255.255.255.255 inside</P><P>&lt; Some PDM Stuff Deleted&gt;</P><P>pdm group Webservers DMZ1</P><P>pdm logging critical 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 4 xx.xx.xx.36</P><P>global (outside) 5 xx.xx.xx.60</P><P>global (outside) 6 xx.xx.xx.61</P><P>global (outside) 1 xx.xx.xx.52</P><P>global (outside) 5 xx.xx.xx.55</P><P>global (DMZ1) 3 192.168.1.101-192.168.1.122 netmask 255.255.255.224</P><P>global (DMZ2) 2 192.168.1.201-Message netmask 255.255.255.224</P><P>nat (inside) 0 access-list 101</P><P>nat (inside) 1 192.168.5.0 255.255.255.192 0 0</P><P>nat (inside) 1 172.21.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.24.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.28.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.29.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.30.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 1.0.0.0 255.0.0.0 0 0</P><P>nat (DMZ1) 4 Webserv1 255.255.255.255 0 0</P><P>nat (DMZ1) 6 Webserv2 255.255.255.255 0 0</P><P>nat (DMZ1) 5 Webserv3 255.255.255.255 0 0</P><P>nat (DMZ2) 0 192.168.1.210 255.255.255.255 0 0</P><P>nat (DMZ2) 7 Message 255.255.255.255 0 0</P><P>static (DMZ2,DMZ1) Webapp1 Webapp1 netmask 255.255.255.255 0 0</P><P>static (DMZ2,DMZ1) Webapp2 Webapp2 netmask 255.255.255.255 0 0</P><P>static (inside,outside) xx.xx.xx.49 Message netmask 255.255.255.255 0 0</P><P>static (DMZ2,outside) xx.xx.xx.56 Message netmask 255.255.255.255 0 0</P><P>static (inside,DMZ1) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0</P><P>static (inside,outside) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0</P><P>static (DMZ1,outside) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0</P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_out in interface inside</P><P>access-group inside_access_out_DMZ1 in interface DMZ1</P><P>route outside 0.0.0.0 0.0.0.0 xx.xx.xx.35 1</P><P>route DMZ1 Webserv3 255.255.255.255 xx.xx.xx.35 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 1.0.0.0 255.0.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>sysopt connection permit-pptp</P><P>crypto ipsec transform-set myset esp-des esp-md5-hmac</P><P>crypto dynamic-map dynmap 10 set transform-set myset</P><P>crypto map mymap 10 ipsec-isakmp dynamic dynmap</P><P>crypto map mymap interface outside</P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp nat-traversal 20</P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P>isakmp policy 10 lifetime 86400</P><P>vpngroup vpnwvr address-pool vpnpool</P><P>vpngroup vpnwvr dns-server xx.xx.xx.72</P><P>vpngroup vpnwvr wins-server 1.4.1.1</P><P>vpngroup vpnwvr idle-time 1800</P><P>vpngroup vpnwvr password ********</P><P>vpngroup dandh address-pool vpnpool1</P><P>vpngroup dandh dns-server xx.xx.xx.72</P><P>vpngroup dandh wins-server 1.4.1.1</P><P>vpngroup dandh default-domain D-H_Domain</P><P>vpngroup dandh idle-time 1800</P><P>vpngroup dandh password ********</P><P>telnet 1.0.0.0 255.0.0.0 inside</P><P>telnet timeout 20</P><P>ssh 0.0.0.0 0.0.0.0 outside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>terminal width 80</P><P>banner login "Warning: Unauthorized access to this system is forbidden and will</P><P>be prosecuted by law. By accessing this system, you agree that your actions may</P><P>be monitored if unauthorized usage is suspected."</P><P>Cryptochecksum:</P><P>: end</P><P>Pix1(Primary)(config)#</P><P></P> Fri, 21 Feb 2020 06:56:38 GMT james.brockman 2020-02-21T06:56:38Z https://community.cisco.com/t5/network-security/pix-525-help/m-p/170324#M600546 <P>I'm trying to get access for a server (Webserv3) in a DMZ from the internet. This is the first server I'm trying to get to from the outside. Also I'm trying to limit some of the PC's on inside networks from the internet. I think the problem is with the ACL but I'm not sure. Please respond here I'm not near my mail much.</P><P></P><P>PIX Version 6.3(1)</P><P>interface ethernet0 auto</P><P>interface ethernet1 100full</P><P>interface ethernet2 auto</P><P>interface ethernet3 auto</P><P>interface ethernet4 100full</P><P>interface ethernet5 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>nameif ethernet2 DMZ1 security30</P><P>nameif ethernet3 DMZ2 security40</P><P>nameif ethernet4 Failover security25</P><P>nameif ethernet5 State security20</P><P>enable password encrypted</P><P>passwd encrypted</P><P>hostname Pix1(Primary)</P><P>domain-name dandh.com</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>names</P><P>name 1.0.0.253 Exchange</P><P>name 192.168.1.203 Webapp2</P><P>name 192.168.1.202 Webapp1</P><P>name 192.168.1.102 Webserv1</P><P>name 192.168.1.103 Webserv2</P><P>name 192.168.1.222 Message</P><P>name 192.168.1.204 Webapp3</P><P>name 192.168.1.104 Webserv3</P><P>object-group network Webappservers</P><P> description Web App Servers on DMZ2</P><P> network-object Webapp1 255.255.255.255</P><P> network-object Webapp2 255.255.255.255</P><P> network-object Webapp3 255.255.255.255</P><P>object-group service Mail tcp</P><P> description Mail Protocols</P><P> port-object eq pop3</P><P> port-object eq smtp</P><P>object-group service FTPGroup tcp</P><P> port-object eq ftp-data</P><P> port-object eq ftp</P><P>object-group network Webservers</P><P> description Web Servers on DMZ1</P><P> network-object Webserv1 255.255.255.255</P><P> network-object Webserv2 255.255.255.255</P><P> network-object Webserv3 255.255.255.255</P><P>object-group service RPCFlaw tcp-udp</P><P> description Microsoft RPC flaw</P><P> port-object eq 4444</P><P> port-object eq 69</P><P> port-object eq 445</P><P> port-object range 135 139</P><P>object-group service Web_Access tcp-udp</P><P> port-object eq 80</P><P>access-list outside_access_in deny tcp xxx.xxx.xxx.32 255.255.255.224 object-group</P><P> RPCFlaw 1.0.0.0 255.0.0.0 object-group RPCFlaw</P><P>access-list outside_access_in permit tcp any host Message eq smtp</P><P>access-list outside_access_in permit tcp any host Message eq pop3</P><P>access-list outside_access_in permit tcp any host Webserv1 eq ftp</P><P>access-list outside_access_in permit icmp any any</P><P>access-list outside_access_in permit tcp any host xx.xx.xx.55</P><P>access-list outside_access_in2DMZ1 permit tcp any host xx.xx.xx.55</P><P>access-list 101 permit ip 1.0.0.0 255.0.0.0 1.150.150.0 255.255.255.0</P><P>access-list 101 permit ip 1.0.0.0 255.0.0.0 1.150.151.0 255.255.255.0</P><P>access-list outside_cryptomap_dyn_30 permit ip any 1.150.150.0 255.255.255.0</P><P>access-list outside_cryptomap_dyn_30 permit ip any 1.150.151.0 255.255.255.0</P><P>access-list inside_access_out permit ip host 172.21.1.1 any</P><P>access-list inside_access_out permit ip 172.21.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.21.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.24.1.1 any</P><P>access-list inside_access_out permit ip 172.24.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.24.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.28.1.1 any</P><P>access-list inside_access_out permit ip 172.28.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.28.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.29.1.1 any</P><P>access-list inside_access_out permit ip 172.29.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.29.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.30.1.1 any</P><P>access-list inside_access_out permit ip 172.30.29.0 255.255.255.0 any</P><P>access-list inside_access_out deny ip 172.30.0.0 255.255.0.0 any</P><P>access-list inside_access_out permit ip host 172.36.1.1 any</P><P>access-list inside_access_out permit ip 172.36.29.0 255.255.255.0 any</P><P>access-list inside_access_out permit ip 1.0.0.0 255.0.0.0 any</P><P>access-list inside_access_out permit ip host 192.168.5.1 any</P><P>access-list inside_access_out permit ip 192.168.5.0 255.255.255.192 any</P><P>access-list inside_access_out deny ip 192.168.5.0 255.255.255.0 any</P><P>access-list inside_access_out permit ip host Webserv3 any</P><P>access-list inside_access_out permit icmp any any</P><P>access-list inside_access_out deny ip 172.36.0.0 255.255.0.0 any</P><P>access-list inside_access_out_DMZ1 permit icmp any any</P><P>access-list inside_access_out_DMZ1 permit tcp any host xx.xx.xx.55</P><P>pager lines 24</P><P>logging on</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu DMZ1 1500</P><P>mtu DMZ2 1500</P><P>mtu Failover 1500</P><P>mtu State 1500</P><P>ip address outside xx.xxx.xx.50 255.255.255.224</P><P>ip address inside 1.0.1.254 255.0.0.0</P><P>ip address DMZ1 192.168.1.100 255.255.255.240</P><P>ip address DMZ2 192.168.1.200 255.255.255.240</P><P>ip address Failover 192.168.2.100 255.255.255.248</P><P>ip address State 192.168.2.202 255.255.255.248</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>ip local pool vpnpool1 1.150.150.1-1.150.150.254</P><P>ip local pool vpnpool 1.150.151.0-1.150.151.255</P><P>failover</P><P>failover timeout 0:00:00</P><P>failover poll 15</P><P>failover replication http</P><P>failover ip address outside xx.xx.xx.51</P><P>failover ip address inside 1.0.3.254</P><P>failover ip address DMZ1 192.168.1.101</P><P>failover ip address DMZ2 192.168.1.201</P><P>failover ip address Failover 192.168.2.101</P><P>failover ip address State 192.168.2.201</P><P>failover link Failover</P><P>failover lan unit primary</P><P>failover lan interface Failover</P><P>failover lan key ********</P><P>failover lan enable</P><P>pdm location 1.10.4.167 255.255.255.255 inside</P><P>&lt; Some PDM Stuff Deleted&gt;</P><P>pdm group Webservers DMZ1</P><P>pdm logging critical 100</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 4 xx.xx.xx.36</P><P>global (outside) 5 xx.xx.xx.60</P><P>global (outside) 6 xx.xx.xx.61</P><P>global (outside) 1 xx.xx.xx.52</P><P>global (outside) 5 xx.xx.xx.55</P><P>global (DMZ1) 3 192.168.1.101-192.168.1.122 netmask 255.255.255.224</P><P>global (DMZ2) 2 192.168.1.201-Message netmask 255.255.255.224</P><P>nat (inside) 0 access-list 101</P><P>nat (inside) 1 192.168.5.0 255.255.255.192 0 0</P><P>nat (inside) 1 172.21.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.24.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.28.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.29.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 172.30.0.0 255.255.0.0 0 0</P><P>nat (inside) 1 1.0.0.0 255.0.0.0 0 0</P><P>nat (DMZ1) 4 Webserv1 255.255.255.255 0 0</P><P>nat (DMZ1) 6 Webserv2 255.255.255.255 0 0</P><P>nat (DMZ1) 5 Webserv3 255.255.255.255 0 0</P><P>nat (DMZ2) 0 192.168.1.210 255.255.255.255 0 0</P><P>nat (DMZ2) 7 Message 255.255.255.255 0 0</P><P>static (DMZ2,DMZ1) Webapp1 Webapp1 netmask 255.255.255.255 0 0</P><P>static (DMZ2,DMZ1) Webapp2 Webapp2 netmask 255.255.255.255 0 0</P><P>static (inside,outside) xx.xx.xx.49 Message netmask 255.255.255.255 0 0</P><P>static (DMZ2,outside) xx.xx.xx.56 Message netmask 255.255.255.255 0 0</P><P>static (inside,DMZ1) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0</P><P>static (inside,outside) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0</P><P>static (DMZ1,outside) xx.xx.xx.55 Webserv3 netmask 255.255.255.255 0 0</P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_out in interface inside</P><P>access-group inside_access_out_DMZ1 in interface DMZ1</P><P>route outside 0.0.0.0 0.0.0.0 xx.xx.xx.35 1</P><P>route DMZ1 Webserv3 255.255.255.255 xx.xx.xx.35 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 1.0.0.0 255.0.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>floodguard enable</P><P>sysopt connection permit-ipsec</P><P>sysopt connection permit-pptp</P><P>crypto ipsec transform-set myset esp-des esp-md5-hmac</P><P>crypto dynamic-map dynmap 10 set transform-set myset</P><P>crypto map mymap 10 ipsec-isakmp dynamic dynmap</P><P>crypto map mymap interface outside</P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp nat-traversal 20</P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P>isakmp policy 10 lifetime 86400</P><P>vpngroup vpnwvr address-pool vpnpool</P><P>vpngroup vpnwvr dns-server xx.xx.xx.72</P><P>vpngroup vpnwvr wins-server 1.4.1.1</P><P>vpngroup vpnwvr idle-time 1800</P><P>vpngroup vpnwvr password ********</P><P>vpngroup dandh address-pool vpnpool1</P><P>vpngroup dandh dns-server xx.xx.xx.72</P><P>vpngroup dandh wins-server 1.4.1.1</P><P>vpngroup dandh default-domain D-H_Domain</P><P>vpngroup dandh idle-time 1800</P><P>vpngroup dandh password ********</P><P>telnet 1.0.0.0 255.0.0.0 inside</P><P>telnet timeout 20</P><P>ssh 0.0.0.0 0.0.0.0 outside</P><P>ssh timeout 5</P><P>console timeout 0</P><P>terminal width 80</P><P>banner login "Warning: Unauthorized access to this system is forbidden and will</P><P>be prosecuted by law. By accessing this system, you agree that your actions may</P><P>be monitored if unauthorized usage is suspected."</P><P>Cryptochecksum:</P><P>: end</P><P>Pix1(Primary)(config)#</P><P></P> Fri, 21 Feb 2020 06:56:38 GMT https://community.cisco.com/t5/network-security/pix-525-help/m-p/170324#M600546 james.brockman 2020-02-21T06:56:38Z https://community.cisco.com/t5/network-security/pix-525-help/m-p/170325#M600547 <HTML><HEAD></HEAD><BODY><P>in your acl outside access in, you only allow ftp to webserv3. add a line for tcp port 80 to allow web traffic. does it run a ftp daemon? have you been able to connect to it from the outside?</P></BODY></HTML> Wed, 20 Aug 2003 13:29:45 GMT https://community.cisco.com/t5/network-security/pix-525-help/m-p/170325#M600547 mostiguy 2003-08-20T13:29:45Z https://community.cisco.com/t5/network-security/pix-525-help/m-p/170326#M600548 <HTML><HEAD></HEAD><BODY><P>I have a ACL </P><P>access-list outside_access_in permit tcp any host XX.XX.XX.55</P><P>that references the server I'm trying to get to from the outside. I have not been able to get to it from outside but I can see it from inside.</P></BODY></HTML> Wed, 20 Aug 2003 13:50:41 GMT https://community.cisco.com/t5/network-security/pix-525-help/m-p/170326#M600548 james.brockman 2003-08-20T13:50:41Z https://community.cisco.com/t5/network-security/pix-525-help/m-p/170327#M600549 <HTML><HEAD></HEAD><BODY><P>Hello James -</P><P></P><P>Please check this URL(page 5).</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/tech/pixcg_cg.pdf" target="_blank">http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/tech/pixcg_cg.pdf</A> </P><P></P><P>Thanks -</P></BODY></HTML> Wed, 20 Aug 2003 14:10:33 GMT https://community.cisco.com/t5/network-security/pix-525-help/m-p/170327#M600549 jmia 2003-08-20T14:10:33Z https://community.cisco.com/t5/network-security/pix-525-help/m-p/170328#M600550 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.</P><P>This example uses conduits instead of access lists I thought conduits were replaced with access lists? Is there an updated artical? Should I use conduits?</P><P></P><P></P><P>James</P></BODY></HTML> Wed, 20 Aug 2003 16:48:30 GMT https://community.cisco.com/t5/network-security/pix-525-help/m-p/170328#M600550 james.brockman 2003-08-20T16:48:30Z https://community.cisco.com/t5/network-security/pix-525-help/m-p/170329#M600551 <HTML><HEAD></HEAD><BODY><P>access-lists are the future. conduits still work, but might be unsupported in a future version. you access-list look fine - I missed that permit tcp any line.</P><P></P><P>Aha - try this - I think your access-list applied to the dmz is wrong. Try removing it. I think your source is any, destination is xxxxxx.55, and it needs to be flipped - you want to allow source of xxxx.55, with destination any</P></BODY></HTML> Wed, 20 Aug 2003 17:12:38 GMT https://community.cisco.com/t5/network-security/pix-525-help/m-p/170329#M600551 mostiguy 2003-08-20T17:12:38Z