Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2755
Views
0
Helpful
19
Replies

PIX 515: Help adding a line to the access list

salixcapital
Level 1
Level 1

‎09-16-2010 01:54 AM - edited ‎03-11-2019 11:41 AM

Hi, I need to open a port on a PIX 515.

Please can someone explain what I should be entering including the commands.


For the purposes of the explanation (so I can understand it ) I've given the different elements the following ips

Port = PPPPP

Destination IP that the machine s on my network will be contacting: XXX.XXX.XXX.XXX

The workstation on my network YYY.YYY.YYY.YYY

PIX IP: ZZZ.ZZZ.ZZZ.ZZZ

I have logged onto the PIX via Hyperterminal.

Thanks for your help.

Labels:
0 Helpful
19 Replies 19

Jon Marshall
Hall of Fame
Hall of Fame
In response to salixcapital

‎09-16-2010 07:57 AM

Are you seeing hits on the rule in your acl applied to the inside interface ?

How does the software work ? ie. it is a normal client/server app or does it do something funny like try to initiate a connection back to your clients ?

Have you spoken to the company hosting the software to see if they can see requests coming from your public IP ?

My previous question about general internet access was to make sure NAT is setup correctly. Perhaps you could post the NAT config ?

Jon

0 Helpful

salixcapital
Level 1
Level 1
In response to Jon Marshall

‎09-16-2010 08:17 AM

PIX# show NAT

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 10.10.0.0 255.255.255.0 0 0

PIX(config)# show access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl turbo-configured; 1 elements

access-list inside_outbound_nat0_acl line 1 permit ip 10.10.0.0 255.255.255.0 10

.10.0.0 255.255.255.0 (hitcnt=110)

Is show NAT the right command?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to salixcapital

‎09-16-2010 08:23 AM 

salixcapital wrote:
PIX# show NAT
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 10.10.0.0 255.255.255.0 0 0
PIX(config)# show access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl turbo-configured; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.0.0 255.255.255.0 10
.10.0.0 255.255.255.0 (hitcnt=110)
Is show NAT the right command?

Yes, as long as you have something like -

global (outside) 1 interface or

global (outside) 1

Jon

0 Helpful

salixcapital
Level 1
Level 1
In response to Jon Marshall

‎09-16-2010 08:25 AM

so does that look correct in my case?

Will i just post the entire 'write term'?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to salixcapital

‎09-16-2010 08:48 AM

It looks fine. Can you internal users access internet web sites ??

Other than that you can run debug on the pix to see if the packet is leaving your pix and if you are receiving anything in return eg.

debug packet outside dst     <-- this should show you packets leaving your pix when an internal client tries to connect to the remote server

debug packet outside src   <--- this should show you packets arriving at the outside interface of your pix from the remote server

However be careful with debug. You don't want to run it during peak hours, best to test out of core hours.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card