https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81848#M661493 <HTML><HEAD></HEAD><BODY><P>a</P></BODY></HTML> Wed, 17 Jul 2002 14:53:24 GMT cweatherford 2002-07-17T14:53:24Z https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81846#M661462 <P>Has anyone ever seen unix trafic (vai reflections or telnet) be denied when thew following line is in your config:</P><P>access-list 101 permit ip any any</P><P>When the line bellow is in unix is ok but MSN messenger and other such programs need no authentication:</P><P>access-list 101 permit tcp any any eq www</P><P>Do I have a routing problem?</P><P>Thanks!</P> Fri, 21 Feb 2020 06:09:58 GMT https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81846#M661462 cweatherford 2020-02-21T06:09:58Z https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81847#M661473 <HTML><HEAD></HEAD><BODY><P>We need way more information than this. Where are the Unix servers, and where are the clients located (what PIX interface)? Do you see anything in the PIX syslog when the connection is denied to indicate the traffic is dropped? Can you forward the PIX config (remove any password lines and change IP addresses if you like) and then detail exactly what isn't working?</P><P></P><P>Is access-list 101 used for authentication, or for allowing access through the PIX?</P></BODY></HTML> Wed, 17 Jul 2002 02:39:27 GMT https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81847#M661473 gfullage 2002-07-17T02:39:27Z https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81848#M661493 <HTML><HEAD></HEAD><BODY><P>a</P></BODY></HTML> Wed, 17 Jul 2002 14:53:24 GMT https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81848#M661493 cweatherford 2002-07-17T14:53:24Z https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81849#M661532 <HTML><HEAD></HEAD><BODY><P>Pix 520 6.2(1)</P><P>The Unix server and clients are inside the firewall. The clients have host files but all of the ip's are internal. When I change this line I see the following in the syslog- "2002-07-16 00:54:16 UTC,Local0.Error,10.***.***.***,Jul 15 2002 18:49:40: %PIX-3-109013: User must authenticate before using this service.</P><P> </P><P>As soon as I change this line: access-list 101 permit tcp any any eq www (which only asks for authentication through browsers)</P><P>to: access-list 101 permit ip any any (which will ask for authenication for anything passing through the pix)</P><P> </P><P>Yes, we have everyone authenticate before going out to the internet.</P><P> </P><P></P><P>PIX Version 6.2(1)</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>nameif ethernet2 ras security50</P><P>nameif ethernet3 dmz security10</P><P>enable password encrypted</P><P>passwd encrypted</P><P>hostname pix</P><P>fixup protocol ftp 21</P><P>fixup protocol http 80</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol ils 389</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol sip 5060</P><P>fixup protocol skinny 2000</P><P>no names</P><P>access-list 101 deny tcp host 10. any</P><P>access-list 101 deny tcp host 10.any</P><P>access-list 101 deny tcp host 10. any</P><P>access-list 101 deny tcp host 10.110 any</P><P>access-list 101 deny tcp host 10.110 any</P><P>access-list 101 deny tcp host 10.110any</P><P>access-list 101 deny tcp host 10.110 any</P><P>access-list 101 deny tcp host 10.110 any</P><P>access-list 101 deny tcp host 10.110 any</P><P>access-list 101 deny tcp host 10.110 any</P><P>access-list 101 deny tcp host 10.110 any</P><P>access-list 101 permit tcp any any eq www</P><P>pager lines 23</P><P>logging on</P><P>logging timestamp</P><P>logging buffered debugging</P><P>logging trap errors</P><P>logging facility 16</P><P>logging host inside </P><P>logging host inside </P><P>interface ethernet0 auto</P><P>interface ethernet1 auto</P><P>interface ethernet2 auto</P><P>interface ethernet3 auto</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu ras 1500</P><P>mtu dmz 1500</P><P>ip address outside 255.255.255.224</P><P>ip address inside 255.0.0.0</P><P>ip address ras 255.255.0.0</P><P>ip address dmz 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>no failover</P><P>failover timeout 0:00:00</P><P>failover poll 15</P><P>failover ip address outside 0.0.0.0</P><P>failover ip address inside 0.0.0.0</P><P>failover ip address ras 0.0.0.0</P><P>failover ip address dmz 0.0.0.0</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 netmask 255.255.255.224</P><P>global (ras) 1 netmask 255.255.0.0</P><P>global (dmz) 1 netmask 255.255.255.0</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>nat (ras) 1 0.0.0.0 0.0.0.0 0 0</P><P>nat (dmz) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (dmz,outside) netmask 255.255.255.255 0 0</P><P>static (dmz,outside) netmask 255.255.255.255 0 0</P><P>static (inside,ras) netmask 255.255.255.0 0 0</P><P>static (inside,ras) netmask 255.255.255.0 0 0</P><P>static (inside,ras) netmask 255.255.255.255 0 0</P><P>static (inside,ras) netmask 255.255.255.255 0 0</P><P>static (inside,dmz) 192.netmask 255.255.255.255 0 0</P><P>conduit permit icmp any any</P><P>conduit permit tcp any 172. 255.255.0.0</P><P>conduit permit udp host 12. eq dnsix any</P><P>conduit permit tcp host 12. eq domain any</P><P>conduit permit udp host 12 eq domain any</P><P>conduit permit tcp host 12.eq smtp any</P><P>conduit permit tcp host 12.q smtp any</P><P>conduit permit tcp host 12.eq domain any</P><P>conduit permit udp host 12.eq domain any</P><P>conduit permit udp host 12.eq dnsix any</P><P>conduit permit udp host 12.eq nameserver any</P><P>conduit permit udp host 12.eq nameserver any</P><P>conduit permit icmp any any echo-reply</P><P>conduit permit icmp any any unreachable</P><P>conduit permit icmp any any time-exceeded</P><P>conduit permit icmp any any parameter-problem</P><P>conduit permit icmp any any echo</P><P>conduit permit tcp host 192 eq smtp host 192.</P><P>conduit permit tcp host 192. eq smtp host 192.</P><P>route outside 0.0.0.0 0.0.0.0 12.28.0.1 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si</P><P>p 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:00:00 absolute uauth 1:00:00 inactivity</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ (inside) host 10. timeout 5</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server LOCAL protocol local</P><P>aaa-server attack protocol tacacs+</P><P>aaa-server attack (inside) host 10. timeout 5</P><P>aaa authentication match 101 inside attack</P><P>aaa authorization match 101 inside attack</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>tftp-server inside 10.\</P><P>floodguard enable</P><P>no sysopt route dnat</P><P>auth-prompt prompt "Company Access"</P><P>telnet 10..0.0.0 inside</P><P>telnet 10.0.0.0 ras</P><P>telnet 10..0.0.0 dmz</P><P>telnet timeout 15</P><P>ssh timeout 5</P><P>terminal width 80</P><P>Cryptochecksum:</P><P>: end</P><P>[OK]</P><P>pixfirewall#</P><P></P></BODY></HTML> Wed, 17 Jul 2002 14:54:59 GMT https://community.cisco.com/t5/network-security/pix-access-list-101-denies-unix-trafic/m-p/81849#M661532 cweatherford 2002-07-17T14:54:59Z