Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
4
Replies

PIX Config help

jwebber
Level 1
Level 1

‎12-14-2004 11:54 AM - edited ‎02-20-2020 11:48 PM

I have a web server in dmz2 (192.168.11.200). Currently the web server cannot intiate any traffic to our lan on 192.168.1.0. I need to allow this web server to initiate traffic to 192.168.1.46 on port 1801 and 1433. Not matter what I try, I cannot get it to work.

If anyone can tell me what I need to change I would appreciate it. I have attached my config. Thanks.

Jim

Preview file
11 KB
0 Helpful
4 Replies 4

scoclayton
Level 7
Level 7

‎12-14-2004 12:18 PM

access-list dmz2-out permit tcp host 192.168.11.200 host 192.168.1.46 eq 1801

access-list dmz2-out permit tcp host 192.168.11.200 host 192.168.1.46 eq 1433

should do the trick. Let us know.

Scott

0 Helpful

jwebber
Level 1
Level 1
In response to scoclayton

‎12-14-2004 12:23 PM

Scott,

Thanks for the reply. I think I know where I may be having my issue. Should both those statements go before

access-list dmz2-out deny ip any 192.168.1.0 255.255.255.0

I had tried both those statement but access-list dmz2-out deny ip any 192.168.1.0 255.255.255.0 came first.

Jim

0 Helpful

thisisshanky
Level 11
Level 11

‎12-14-2004 12:23 PM

Jim

Your ACL dmz2-out doesnt seem to have those ports 1801 and 1433 listed. Also your ACL is configured wrong. The first line denys every traffic going to 192.168.1.0 subnet.

access-list dmz2-out deny ip any 192.168.1.0 255.255.255.0 <---denys everything to 192.168.1.0

access-list dmz2-out deny ip any 192.168.10.0 255.255.255.0

access-list dmz2-out deny ip any 192.168.12.0 255.255.255.0

access-list dmz2-out permit tcp host 192.168.11.200 any eq ftp

access-list dmz2-out permit tcp host 192.168.11.200 any eq www

access-list dmz2-out permit udp host 192.168.11.200 any eq domain

access-list dmz2-out permit tcp host 192.168.11.200 any eq domain

access-list dmz2-out permit tcp host 192.168.11.200 any eq https

You should configure it as follows

access-list dmz2-out permit tcp host 192.168.11.200 any eq ftp

access-list dmz2-out permit tcp host 192.168.11.200 any eq www

access-list dmz2-out permit udp host 192.168.11.200 any eq domain

access-list dmz2-out permit tcp host 192.168.11.200 any eq domain

access-list dmz2-out permit tcp host 192.168.11.200 any eq https

access-list dmz2-out permit tcp host 192.168.11.200 any eq 1801

access-list dmz2-out permit tcp host 192.168.11.200 any eq 1433

There is an implicit deny at the end of any access-list. So you dont have to specifically deny the rest of the traffic. Just permit what is needed, PIX will take care of denying the rest.

HTH

Sankar.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

jwebber
Level 1
Level 1
In response to thisisshanky

‎12-14-2004 12:28 PM

Sankar,

Thanks for the reply and the help. I now see what was causing me my grief.

Jim

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card