https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979423#M940767 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P> thanks for looking at the config. I made the change as you suggested and I still had the same problem. Looking further into it I discovered that iptables on the target host was turned on and blocking all non ssh acess. (This is a new server that the hosting company just setup) Turning off the responsible iptables rules on the linux box solved the problem.</P><P></P><P>thanks again,</P><P></P><P>-alan</P></BODY></HTML> Wed, 19 Mar 2008 14:30:29 GMT cisco.com 2008-03-19T14:30:29Z https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979419#M940757 <P>I have a 5505 with the base license. I have a dmz and an internal network. I chose to have the internal network to be blocked from initiating connections to the dmz. I only need dmz machines to initiate connections to the internal network. I can ssh from the dmz to the internal network successfully. But I cannot initiate any other tcp traffic from the dmz to the internal net. After reading various documents, it is my understanding that I should be able to have the dmz (as I've set it up) to initiate any connection to the internal net but not the other way around. I am new with the 5505 - if you need me the post the config, can you please explain how? </P><P></P><P>thanks in advance</P><P></P><P>-alan</P> Mon, 11 Mar 2019 12:19:16 GMT https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979419#M940757 cisco.com 2019-03-11T12:19:16Z https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979420#M940759 <HTML><HEAD></HEAD><BODY><P>Here is the output of </P><P>show running-config</P><P>I've replaced some items with XXX</P><P></P><P></P><P></P><P></P><P> </P><P></P></BODY></HTML> Tue, 18 Mar 2008 17:15:56 GMT https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979420#M940759 cisco.com 2008-03-18T17:15:56Z https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979421#M940762 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P> I think the problem is in the access lists, there are mismatch between the ip addresses of interfaces and the access list parameters, like in the dmz_access_in ACL :</P><P>access-list dmz_access_in extended permit tcp 172.16.241.0 255.255.255.0 172.31.241.0 255.255.255.0 </P><P></P><P>it should be</P><P>access-list dmz_access_in extended permit tcp 172.16.241.0 255.255.255.0 172.31.241.0 255.255.255.0</P><P></P><P>the case is true for other ACLs. this mismatch means that the traffic that is not permited by the ACLs will be discarded. change this and check.</P><P></P><P>regards</P></BODY></HTML> Wed, 19 Mar 2008 12:41:35 GMT https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979421#M940762 alanajjar 2008-03-19T12:41:35Z https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979422#M940765 <HTML><HEAD></HEAD><BODY><P>Sorry, the correction shouldbe </P><P>it should be </P><P>access-list dmz_access_in extended permit tcp 172.16.0.0 255.255.255.0 172.31.0.0 255.255.255.0 </P><P></P><P>regards</P></BODY></HTML> Wed, 19 Mar 2008 12:56:39 GMT https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979422#M940765 alanajjar 2008-03-19T12:56:39Z https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979423#M940767 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P> thanks for looking at the config. I made the change as you suggested and I still had the same problem. Looking further into it I discovered that iptables on the target host was turned on and blocking all non ssh acess. (This is a new server that the hosting company just setup) Turning off the responsible iptables rules on the linux box solved the problem.</P><P></P><P>thanks again,</P><P></P><P>-alan</P></BODY></HTML> Wed, 19 Mar 2008 14:30:29 GMT https://community.cisco.com/t5/network-security/5505-vlan-to-vlan-access/m-p/979423#M940767 cisco.com 2008-03-19T14:30:29Z